Alerts

Federal Banking Regulators Update Guidance on Model Risk Management Practices for AML and Sanctions Compliance

June 10, 2021

On April 9, 2021, the Federal Reserve, the FDIC and the OCC[1] jointly issued an interagency statement concerning the applicability of model risk management guidance on systems used to support Bank Secrecy Act/Anti-Money Laundering compliance programs (“2021 Interagency MRM Statement”).[2] The 2021 Interagency MRM Statement addresses certain concerns raised by industry members, namely that prior guidance concerning model risk management as applied to anti-money laundering (“AML”) and sanctions programs may inhibit the ability of the industry to adopt and deploy novel solutions to address AML and sanctions-related risks.

Model Risks

In 2011, the OCC and the Federal Reserve issued broad and comprehensive guidance for banks detailing what an effective model risk management framework should look like (“2011 MRM Guidance”).[3] The 2011 MRM Guidance defines models broadly to cover quantitative methods, systems or approaches that apply statistical, economic, financial or mathematical theories, techniques and assumptions to process data and model risk as the potential for adverse consequences from decisions based on incorrect or misused models.

Under the 2011 MRM Guidance, a model typically involves three main components:

An information input component, which delivers assumptions and data to the model;
A processing component, which transforms inputs into estimates; and
A reporting component, which translates the estimates into useful business information.

While the model was broadly defined under the 2011 MRM Guidance, since its initial publication industry members have questioned how the risk management principles described therein should be applied to the systems and models used for AML and sanctions compliance. Industry members have also raised concerns that the application of novel approaches to data science to address AML and sanctions risk, such as machine learning, could be inhibited by an overly mechanical application of the risk management principles detailed therein.

The 2021 Interagency MRM Statement

In response to these concerns, federal banking agencies issued the 2021 Interagency MRM Statement, expressly reminding industry members that the 2011 MRM Guidance was provided as a guide to the benefits of implementing a model risk management framework and that the 2011 MRM Guidance did not, and does not, have the force and effect of law. Specifically, the 2021 Interagency MRM Statement attempts to provide additional certainty to industry members by explaining that:

Whether a system used specifically for AML is considered a “model” is an industry member-specific determination;
Industry members may use the 2011 MRM Guidance[4] to inform their AML practices, but are not obligated to do so in every case; and
Industry members that are currently effectively managing the risks of their AML and sanctions programs without relying on the 2011 MRM Guidance are not required to update existing practices.

For example, the 2021 Interagency MRM Statement explains that most industry participants utilize automated transaction monitoring or AML surveillance systems to mitigate AML and sanctions risk or identify transactions for Suspicious Activity Reporting purposes. Simple tools that flag transactions on the basis of a single criterion (i.e., reports that identify cash, wire transfer or other transaction activity over certain value thresholds) or report aggregate cash transactions are not typically considered models for purposes of the 2021 Interagency MRM Statement.[5] More advanced, tools, however, should be evaluated on the basis of the three key criteria detailed in the 2011 MRM Guidance and based on the individual features of the AML and sanctions program. Regardless of whether an industry participant defines an automated transaction monitoring or AML surveillance system as a model, the 2021 Interagency MRM Statement reminds industry participants that the 2011 MRM Guidance is non-binding and no specific organizational structure is required for oversight. Specifically, the 2021 Interagency MRM Statement confirms that there is “no requirement or supervisory expectation that banks have duplicative processes for complying with BSA/AML regulatory requirements” and “no requirement that a bank perform duplicative independent testing activities.”

Depending on the specifics of the models being utilized, banks should consider whether implementing the model risk management guidelines would be beneficial or burdensome to their individual AML program, as the ultimate goal of the model risk management guidance is to provide flexibility for banks in developing and implementing their models.

Broker-dealers and other industry participants should be mindful of the guidance contained in the 2011 MRM Guidance and the 2021 Interagency Statement, as the SEC and FINRA may use these statements as a guidepost to evaluate the tools firms are relying on to comply with their BSA and AML obligations.

This is part of a series of SRZ Alerts regarding AML and sanctions compliance. In addition to our robust Bank Regulatory practice, which advises financial institutions on anti-money laundering and OFAC compliance, SRZ has a Broker-Dealer Regulatory & Enforcement and White Collar Defense & Government Investigations practice that assists banks, broker-dealers, investment advisers, funds, insurance companies and other financial institutions with enforcement actions involving AML and sanction program deficiencies.

Authored by Betty Santangelo, Melissa G.R. Goldstein, Derek N. Lacarrubba and J. Eric Prather.

If you have any questions concerning this Alert, please contact your attorney at Schulte Roth & Zabel or one of the authors.

[1] The interagency statement was prepared in consultation with the Financial Crimes Enforcement Network and the National Credit Union Administration.

[2] Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance (April 9, 2021), available here.

[3] Supervisory Guidance on Model Risk Management (April 4, 2011), available here.

[4] The model risk management guidelines do not apply to credit unions, as it was not issued by the National Credit Union Administration.

[5] 2021 Interagency MRM Statement at 3.

This communication is issued by Schulte Roth & Zabel LLP for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. In some jurisdictions, this publication may be considered attorney advertising. ©2021 Schulte Roth & Zabel LLP.