Financial Institution Letters
June 7, 2017
Adoption of Supervisory Guidance on Model Risk Management
The FDIC is adopting the Supervisory Guidance on Model Risk Management previously issued by the Board of Governors of the Federal Reserve System ("FRB") (SR 11-7) and the Office of the Comptroller of the Currency ("OCC") (OCC Bulletin 2011-12), with technical conforming changes, thereby making the guidance applicable to certain FDIC-supervised institutions. The guidance addresses supervisory expectations for model risk management, including: model development, implementation, and use; model validation; and governance, policies, and controls. The FDIC is adopting this guidance to facilitate consistent model risk-management expectations across the banking agencies and industry.
Statement of Applicability to Institutions under $1 Billion in Total Assets: It is not expected that this guidance will pertain to FDIC-supervised institutions with under $1 billion in total assets unless the institution's model use is significant, complex, or poses elevated risk to the institution.
- Some FDIC-supervised institutions have increased their reliance on models for various functions, such as credit management, operational risk, valuation, and stress testing.
- The FDIC is adopting the Supervisory Guidance on Model Risk Management that was previously issued by the FRB and OCC to provide comprehensive guidance on effective model risk management, with the following technical conforming changes:
- revised definition of 'banks' to reflect the FDIC's supervisory authority and to reflect the FDIC's expectations that the Supervisory Guidance generally pertains to FDIC-supervised institutions with $1 billion or more in total assets, and
- revised references to existing guidance to reflect FDIC guidance.
- Model risk management should be commensurate with each institution's risk exposure, as well as the complexity and extent of its model use.
- An effective model risk management framework should include:
- disciplined and knowledgeable development that is well documented and conceptually sound,
- controls to ensure proper implementation,
- processes to ensure correct and appropriate use,
- effective validation processes, and
- strong governance, policies, and controls.
- Use of vendor and other third-party models should be incorporated into the model risk management framework.
Continuation of FIL-22-2017
- FDIC-Supervised Institutions (Commercial and Savings)
- Chief Executive Officer
- Chief Financial Officer
- Chief Risk Officer
- Risk Management
- Model Risk Management
- Ryan Sheller, Section Chief, Large Bank Supervision, (202) 412-4861, or Sumaya Muraywid, Senior Examination Specialist, Policy & Program Development, (202) 898-3904
FDIC financial institution letters (FILs) may be accessed from the FDIC's Web site at https://www.fdic.gov/news/news/financial/
To receive FILs electronically, please visit https://service.govdelivery.com/accounts/USFDIC/subscriber/new.
Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).
June 7, 2017
Adoption of Supervisory Guidance on Model Risk Management
The FDIC is adopting the Supervisory Guidance on Model Risk Management (Guidance) that was issued by the OCC and FRB in 2011,1 with technical conforming changes as outlined in the Highlights section of the cover page. In recent years, many FDIC-supervised institutions have increased their reliance on models. The FDIC is adopting this Guidance to facilitate consistent model risk management expectations across the banking agencies and industry.
The FDIC recognizes that for institutions with under $1 billion in total assets, model use is typically not complex or significant, and generally does not pose elevated risk to these institutions. In addition, models used by such institutions are typically models that have been subject to longstanding supervisory guidance, such as asset liability management models that are subject to the interagency guidance on interest rate risk.2
Accordingly, it is not expected that this Guidance will pertain to FDIC-supervised institutions with under $1 billion in total assets unless the institution's model use is significant, complex, or poses elevated risk to the institution.3 In addition, Appendix A to Part 364 has long-established standards for safety and soundness for all FDIC-supervised institutions in the areas of internal controls and information systems; internal audit systems; loan documentation; credit underwriting; interest rate exposure; asset quality; earnings; and compensation, fees, and benefits. To the extent that models are used in these major operating areas of the institution, model use should be consistent with the safety and soundness standards.4
The Guidance defines models as "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates." Tools used for simple mathematical calculations are not models covered by this Guidance, but should nonetheless be subject to a reasonable control process. It is important to note that certain qualitative approaches are considered models under the Guidance. FDIC-supervised financial institutions should establish practices to identify models used across the organization and ensure that model risk management practices are commensurate with the institution's risk exposure and the complexity and extent of model use.
The Guidance addresses the concept of "effective challenge" as a guiding principle for managing model risk and essential to effective model risk management. Effective challenge is "critical analysis by objective, informed parties who can identify model limitations and assumptions and produce appropriate changes." Effective challenge refers to a combination of incentives, competence, and influence, as outlined in the Guidance. It is expected to be senior management's responsibility to ensure effective challenge takes place, and internal audit should ensure that appropriate effective challenge is being carried out.
The FDIC recognizes that many supervised institutions rely on models provided by vendors. The Guidance addresses the incorporation of vendor products into the institution's model risk management framework following the same principles as in-house models. Although much of the vendor product discussion in the Guidance is addressed under the Model Validation section, model risk management practices should not be limited to validation. Expectations for model risk management of vendor products are also addressed in the discussion of the model risk management process under the Model Development, Implementation, and Use section, as well as the Governance, Policies, and Controls section.
Finally, institutions should be mindful of consumer compliance and fair lending requirements when using models. For example, banks should evaluate the variables used in a model to determine whether they present or increase consumer compliance or fair lending risk.
2 See Joint Agency Policy Statement on Interest Rate Risk (FIL-52-96), FFIEC Advisory on Interest Rate Risk Management (FIL-2-2010), and Interagency Advisory on Interest Rate Risk Management Frequently Asked Questions (FIL-2-2012).
3 Total asset applicability threshold applies to FDIC-supervised institutions that have reported total assets of $1 billion or more in the four most recent consecutive Call Reports.
4 Appendix A to Part 364 of the FDIC Rules and Regulations - Interagency Guidelines Establishing Standards for Safety and Soundness. https://www.fdic.gov/regulations/laws/rules/2000-8630.html#fdic2000appendixatopart364.