By Johnny Steele, Director, Banking at SAS UK
It’s now only a matter of weeks before the new model risk management (MRM) principles come into force on 17th May – and all eyes will be on the PRA to see how it approaches supervision and enforcement in this area over the coming year.
The PRA’s supervisory statement (SS1/23) represents a major change for banks because the PRA is extending its model risk management requirements beyond capital and stress testing to every model that might be used including Artificial Intelligence (AI).
The regulator, aware of the disparate ways banks had been managing model risk, has set out clear expectations which aim to raise standards; improve the safety and soundness of models across departments; mitigate the risk of losses for individual banks; and protect the sector from future crises. It also wants to see MRM become a priority in firms, with specific board-level expectations being set, along with the inclusion of MRM into the Senior Managers Regime to ensure ownership and annual attestation in maintaining compliance.
Over the past two years, banks and other regulated financial services firms have been putting in place new processes to meet their obligations. In particular, they need to be able to ‘identify and manage’ the risks associated with the use of artificial intelligence (AI) in modelling techniques such as machine learning (ML) to the extent that it applies to the use of models more generally.’
Robust MRM is essential if banks are to unlock the business value of AI/ML while ensuring transparency and good governance, and ultimately protect their customers.
Why now?
There is an increasing reliance on models within firms to manage their businesses. The volume of models used has increased and this will grow further with the appetite to maximise the potential that AI has for firms. A single MRM framework will set the standard for the industry to follow, and responsibly facilitate the adoption of AI/ML models .
Even without SS1/23, many risk professionals have been confronting the existential threat risk management poses to their firm, following the string of banking failures in the US. Our own research suggests that as many as 80% of them want to improve their asset liability management (ALM) processes, although not even a third have the technology and processes in place to support it.
While banks have, of course, spent months preparing for SS1/23, it has been a test for many of them. They recognise that becoming, and then staying compliant, will require a fundamental shift in the way they manage their models, and changes to organisational culture, mindsets, accountability and technology. For instance, data science teams will have to agree on a common approach to model lifecycle management – and overcome the problems that arise from using different tools and programming languages.
A degree of education is needed too. One senior leader I spoke to last year stressed the importance of MRM disciplines being embedded into the ‘first line of defence’ to ensure business ownership of models. The heads of businesses as well as the data scientists who design and build models, will need to fully understand model risk for their business lines as well as ensuring the MRM policy for their firm is fully complied with. The PRA will expect ‘first line of defence’ business heads to be fully conversant and understand Model Risk in their business areas.
Flexible framework
Chief Risk Officers and banks boards will be in a much better position to meet the regulator’s requirements if there’s a solution in place to standardise the governance and processes around model registration, validation, approval, monitoring, reporting and aggregation of Model Risk, tracking risk mitigants and any remediation that is required. The solution should provide full audit trail capabilities to support and evidence the annual attestation of compliance that is now required.
We’re already working with more than 75 banks globally, so they can embed MRM into their firms. With clear processes, and full visibility of what’s happening, they can flag up potential risks and take action long before they escalate. The requirements of SS1/23 regulation go beyond the FED’s SR11/7 existing regulation on MRM in the US, however the principles are aligned. Twenty banks in the US including 4 G-SIB’s have been successfully using SAS MRM to comply with SR11/7 for many years, so SAS is a trusted partner to deliver compliance with MRM regulations.
It’s important to note that the standardisation of MRM shouldn’t come at the expense of innovation. While the framework should absolutely support compliance, it also needs to be flexible enough for data scientists to prepare data, build and manage models – including generative AI and Large Language Models – using preferred tools and languages, and use automation to eliminate error and reduce time spent on repetitive tasks like approvals and reporting.
Staying compliant
Over the coming year, we will see what SS1/23 will look like in practice. The PRA will assess the ‘overarching MRM frameworks and MRM practices for a sample of firms with permission to use IMs to calculate regulatory capital’ over the coming year, so we could expect further guidance to come from that.
For now, it’s clear that those banks moving towards a unified ecosystem that provides complete Model Risk aggregation and reporting, model lifecycle management and end-to-end accountability and traceability for all models and AI, will have a clear advantage over those reliant on disparate, longer term unsustainable manual systems.