On December 21, 2016, the Office of the Superintendent of Financial Institutions (OSFI), released for comment a new draft Guideline E-23 on enterprise-wide model risk management (Guideline). The draft Guideline aims to address the increasing reliance by financial institutions on internal models in management decision making and sets out OSFI’s minimum standards for managing and controlling model risk. The comment period closes on February 28, 2017 and the Guideline, in its final form, is scheduled to take effect on November 1, 2017.
To control and mitigate the risk associated with the use of internal models, the draft Guideline will require financial institutions to establish an enterprise-wide framework, based on the three lines of defence, that will implement prudent practices for model development, review, approval, modification and de-commissioning.
If adopted as drafted, the Guideline will apply to banks, trust and loan companies, and foreign bank branches (Institutions). OSFI notes that the Guideline will take into consideration the potential operational burden of the new guidance on small and medium-sized Institutions. To this end, the draft Guideline distinguishes between internal models-approved institutions (IMAIs) and other standardized institutions (SIs). IMAIs are Institutions that have received OSFI approval to use an internal model for regulatory-capital purposes, while all other Institutions are considered SIs. OSFI’s expectations regarding IMAIs, SIs, as well as foreign bank branches and foreign bank subsidiaries, are as follows:
- IMAIs: IMAIs are subject to all of the requirements of the draft Guideline.
- SIs: OSFI notes that SIs “should strive to comply” with the Guideline but, at a minimum, must maintain an inventory of all models that are in use, identify and assess the “most material models” from a model risk perspective, and comply with governance and control requirements set out in OSFI’s other existing guidelines in respect of models.
- Foreign Bank Branches: OSFI expects foreign bank branches to demonstrate that their models related to counterparty risk exposures are a part of group risk policies that are subject to oversight by the foreign bank’s home jurisdiction. The draft Guideline is not clear on whether the new requirements will apply in any other respect to home-office approved models used by foreign bank branches.
- Foreign Bank Subsidiaries: OSFI expects foreign bank subsidiaries that rely on parent institution-approved material models to demonstrate that such models are fit for intended purpose within their model risk-management processes. The level of process required should be commensurate with the nature, size, complexity, and risk profile of the foreign bank subsidiary in Canada.
The draft Guideline sets out the following key elements for an enterprise-wide model risk-management framework:
- Materiality Assessment: Institutions should implement a model risk materiality classification scheme. The Guideline’s requirements will apply in respect of IMAIs to “any model that could materially impact the risk profile of an institution” and in respect of SIs to “material models that pose the most significant risks”.
- Model Development: Prior to model development, model users (the first line of defence) should identify and document a business rationale for the new model or for changing an existing model and should follow a model-development process established by the institution.
- Independent Review: Institutions should have model-review processes in place, independent from model development and model users, as a second line of defence to check whether models are sound and fit for their intended purpose.
- Approval: Institutions should have a dedicated model approver or model risk committee to approve new models and any material model modifications to existing models.
- Ongoing Monitoring: Models should be subject to a periodic review with a frequency that is consistent with their materiality assessments. The responsibility for ongoing monitoring falls on model users and owners (first line of defence) and reviewers (second line of defence). For models whose deficiencies have the greatest potential to generate immediate and material losses, Institutions are expected to use various measures, such as back testing, discriminatory analysis, stress-testing, and sensitivity analysis, in their ongoing validation and review process.
- Modifications and Decommission: Institutions should establish a process for managing model modifications and decommissioning.
- Internal Audit: Internal audit, as the third line of defence, should assess the overall effectiveness and adequacy of the model risk policy and determine compliance by the various stakeholders with that policy.
- Model Inventory and Documentation: Institutions should maintain an up-to-date inventory of all models in use and recently decommissioned. OSFI also expects that Institutions will maintain a thorough documentation during a life cycle of a model, which must be itemized in the model inventory.
- Outsourcing: Adopting a third-party vendor product for models or data does not eliminate the need to apply the process for vetting, approval, ongoing validation, decommissioning and overall documentation outlined in the draft Guideline, as would be conducted for in-house developed models and data sources. Institutions should have ultimate accountability for all outsourced activities, in accordance with OSFI’s Guideline B-10, and should seek access from the vendor to adequate technical documentation related to the model to understand how the model is designed, calibrated and operating. Where access to documentation is restricted due to vendor’s proprietary intellectual property, these restrictions must be demonstrated to OSFI’s satisfaction. Consideration will therefore need to be given as to how these proprietary restrictions are articulated in vendor agreements.
The draft Guideline will supplement — not replace — model-specific guidance set out in OSFI’s existing guidelines, such as in the Capital Adequacy Requirements Guideline A1 (in respect of capital models for credit risk, operational risk, and market risk), Guideline B-12 (in respect of interest-rate risk in the banking book), Guideline E-19 (in respect of internal capital adequacy assessment process), and Guideline E-22 (in respect of margin requirements).
Questions and comments on the draft Guideline should be sent to Greg.Caldwell@osfi-bsif.gc.ca at OSFI by February 28, 2017.