Understanding the supervisory guidance on model risk management for anti-money-laundering systems

Although federal regulators have provided some guidance around model validations for anti-money-laundering (AML) systems, some financial institutions may not understand what to expect when their systems are validated.

Background

On June 7, 2017, the Federal Deposit Insurance Corporation (FDIC) adopted the supervisory guidance on model risk management originally issued by the Office of the comptroller of the currency (OCC) and the Federal reserve.

With the FDIC’s adoption, three major bank regulatory bodies have adopted guidance pertaining to model validations. This means institutions could start receiving guidance or scrutiny during Bank Secrecy Act (BSA) examinations.

While the original bulletin focused on credit, liquidity, and capital applications, it’s being applied to AML systems as well to help make sure institutions:

• Adequately assess risk
• Properly use the AML system

Frequency of model validation

The guidance states that financial institutions should complete a model validation at least annually. While this timeframe could be extreme in some cases, it’s important to note that AML model validations do need to be completed on a periodic basis.

Model validations aren’t something that’s completed once and then the regulatory requirement is met. The frequency at which model validations need to be completed is based on the complexity of the institution and if there’ve been any recent critical changes effecting the system.

Examples of critical changes that may prompt an AML-system validation include the following:

• Upgrade or change to core systems
• Change in the BSA or AML risk profile
• Changes to the customer base
• Addition of a new product or service