On June 7th, the Federal Deposit Insurance Commission announced its adoption of Supervisory Guidance on Model Risk Management that was previously adopted in 2011 by the Federal Reserve Board (SR 11-7) and the Office of Comptroller of the Currency (OCC Bulletin 2011-12). The FDIC’s action was announced through a Financial Institution Letter, FIL-22-2017. The FDIC expects the new requirements will not “generally pertain” to FDIC-supervised institutions with assets under $1 billion, unless the use of such models are “significant, complex, or poses elevated risk to the institution.”
The FDIC’s action is in recognition of the fact that banks increasingly utilize “models” to analyze risk across a range of operational areas. The policy recognizes that “all models have some degree of uncertainty and inaccuracy because they are by definition imperfect representations of reality.”
Under the policy, banks are expected to: (1) identify models that are in use within the institution; and (2) make sure that the use of the models is “commensurate with the institution’s risk exposure and the complexity and extent of model use.” According to the FDIC, the “guiding principle” of the policy is for banks to determine the “effective challenge” for utilizing models, which the FDIC defines as “critical analysis by objective, informed parties who can identify model limitations and assumptions and produce appropriate changes.” This process includes independent “validation” of models on an ongoing basis. Senior management is required to ensure such process takes place, and internal audits should ensure that the process is being carried out appropriately. This process should be carried out for in-house models as well as third party vendor models.
Under the policy, a “model” is defined as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.” Simple “mathematical calculations” are not considered a model.
The Supervisory Guidance on Model Risk Management expands upon existing FDIC requirements related to operational and managerial standards to ensure safety and soundness, which standards carry out the requirements in Section 39 of the Federal Deposit Insurance Act. These standards are outlined in Appendix A to Part 364 of the FDIC rules, which cover the following operational areas: internal controls and information systems; internal audit systems; loan documentation; credit underwriting; interest rate exposure; asset growth; asset quality; earnings; and compensation, fees, and benefits. Banks are required to have practices in place within each of these areas in order to address safety and soundness problems “before capital becomes impaired.” These guidelines are intended to provide general guidance without “dictating” how banks should actually carry out policies within each of the identified areas.