Agencies Review Supervisory Model Risk Management Guidance and BSA/AML Compliance
Commentary by Christian Larson
In a joint statement on model risk management principles, the Federal Reserve Board, the FDIC and the OCC, in consultation with FinCEN and the National Credit Union Administration (collectively, the "agencies"), described how their "Supervisory Guidance on Model Risk Management" (or "MRMG") relates to Bank Secrecy Act / Anti-Money Laundering ("BSA/AML") systems.
The agencies stated that there is no specific organizational structure for BSA/AML system oversight, and that a bank may decide which principles in the MRMG are useful to it. The agencies clarified that the MRMG:
-
does not have "the force and effect of law";
-
is not a set of testing procedures;
-
does not establish the expectation that a bank have duplicative processes for complying with BSA/AML requirements;
-
provides a definition for "models," which a bank should reference when determining whether a BSA/AML system is a model;
-
provides "flexibility" in principles for a bank that is updating its models; and
-
addresses third-party model principles.
Concurrent with the publication of the joint statement, the agencies issued a request for comment seeking information to determine whether additional clarification would be useful.
Comments on the notice must be submitted by June 11, 2021.
Commentary
Financial institutions should take with a grain of salt the agencies' assertion that, "[t]his statement does not alter existing BSA/AML legal or regulatory requirements, nor does it establish new supervisory expectations." The same document clearly states, "[f]or automated transaction monitoring systems, prudent risk management involves periodically reviewing and testing the filtering criteria and thresholds to ensure that they are still effective, as well as independently validating the monitoring system's methodology and effectiveness to ensure that the monitoring system is detecting potentially suspicious activity." While the interagency statement may not have the force of law, financial institutions' BSA/AML systems are required by law to be reasonably designed and risk-based; a regulator could easily determine that use of an automated transaction monitoring system without appropriate review, testing, and validation falls short of those legal requirements.