When it comes to financial decision making, banks rely heavily on quantitative analysis models, from underwriting credits to determining capital and reserve adequacy to measuring many forms of risk. However, these models come with their own difficulties—which is why, in 2011, the Office of the Comptroller of the Currency issued “Supervisory Guidance on Model Risk Management.” This national bank guidance is frequently referenced by the other federal regulators as well.
The Comptroller’s Office defined “model” as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.” This would include the Anti-Money Laundering and Bank Secrecy Act (AML/BSA) models frequently used by banks to spot suspicious activity and effectively report it.
Banks faces numerous challenges today in administering an effective AML/BSA model program. We’ll discuss some basics and then review the top challenges.
Some background about models
Three components go into an AML/BSA model:
1. Information input, which delivers assumptions and data to the model.
2. Processing, which executes predefined calculations on the input and provides results.
3. Reporting, which translates results into useful business information.
According to the Comptroller’s Office, elements of a sound model management include model validation; system administration; understanding system limitations; change management controls; data integrity and testing of source transactions; and validity of reporting parameters.
However, models have potential for adverse consequences, so it’s important that banks watch out for these pitfalls.
Here are a few areas that banks struggle with in managing their AML/BSA models:
1. The model’s framework fails to align with regulatory expectations.
This is basic, but critical. If the basic framework isn’t correct, nothing that follows will be either.
2. “Off-the shelf” solutions fail to match the bank’s AML risk profile.
Often, banks over-rely on “off the shelf” processing of model parameters from vendors, but those frameworks aren’t appropriate for their institutions. It’s like buying a suit without having alterations made. How many off-the-rack suits fit anyone perfectly? Banks aren’t one-size-fits-all, and neither are AML/BSA models. It’s important to be able to conduct profiling based on actual activity.
3. Banks fall victim to logic errors that deliver incorrect results that can’t be acted on.
This is all about how you group different customer accounts—by relationship, taxpayer I.D., authorized signatures, etc. Banks may think they’re getting all of an individual or family’s data, only to find they’re only getting data on one person at a time. It’s important to have the necessary expertise for effective results and reporting of suspicious activity.
4. Banks are using models incorrectly, which means important customer or transaction risks may go undetected.
Often, banks are only using a small fraction of the rules available to them. Yes, the models can be complex and overwhelming. But using only a minimal amount of a model’s capabilities resembles purchasing Excel and using it as a calculator.
5. Banks use an inconsistent approach or fail to produce detailed documentation and quantitative analysis to support model risk management activities.
The model is only as good as its information (think “garbage in, garbage out”). That’s why it’s important not to abide by default values or allow staff to tweak the number of transactions based on individual preferences. Rather, such decisions should be based on risks associated with the bank and documented for reasonableness and replication for effective continuity and succession management.
6. Banks lack the right resources and expertise to manage model risk.
Either existing bank staff don’t have the expertise, or the software was purchased and implemented years ago with no succession plan in place for when the person who oversaw the process left. Remaining staff are hard-pressed to determine why certain decisions were made, and banks are left vulnerable.
7. Banks fail to update their models, which calls into question model accuracy.
Just as a bank evolves over time, so must the AML/BSA model. It’s important to keep it up-to-date as conditions change and as software upgrades occur. Moreover, model parameters should reflect customer transactions and current banking products—banks must revisit models as circumstances warrant.
Many banks implemented AML/BSA models in hopes they’d make compliance easier with the data analytics. However, in some cases, managing the model has presented additional challenges and has consumed more time than originally planned.
These models are beneficial to the AML/BSA program and they do work. However, they’re not self-sufficient.
The key is to invest the time and resources to understand the parameters and develop the model to best meet the bank’s needs. In addition, partnering with an independent expert for a AML/BSA model validation will not only help you meet regulatory expectations but it may also result in insights that could help your bank enhance the effectiveness of the model.
— Elizabeth Snyder, senior manager, Plante Moran, [email protected]