Complex regulatory challenges loom for UK bank risk models

The paper outlines the Prudential Regulation Authority’s (PRA) vision for improved model risk governance, including five key principles that must be integrated into every firm’s risk management framework. 

New MRM principles

By providing a consistent set of expectations for all model types, the PRA’s new principles intend to address the model risk management (MRM) shortcomings identified through the authority’s concurrent stress testing programme. The principles support existing guidance (such as CRR, SS3/18, SS11/13) but broaden the requirements to areas such as risk-based pricing, fraud and balance sheet management, where model-specific expectations are not set by the PRA. There is a renewed focus on supporting a firm’s external audit of accounting models used for financial reporting with MRM information. An overall model lifecycle is defined considering modelling, validation and control systems and artificial intelligence and machine learning models receive specific focus given the rapid increase in data processing capacity and the level of model risk these applications can introduce.

These expectations are proportionate, with ‘simpler-regime’ firms (as defined in the PRA’s CP5/22 - The Strong and Simple Framework: a definition of a Simpler-regime Firm) having limited requirements for principles 2-5.

1. Identification and risk classification

The PRA provides a specific definition of a model. There is a distinction between models and other quantitative methods, with expectations that even tools that do not meet the definition of a model should be controlled. Expectations are set for the level of information that must be recorded and reported for each model. A renewed focus on risk classification and tiering sets the requirement for a consistent approach for all model types, focussing on the key drivers of model risk.

2. Governance

Key to enhancing risk management, the PRA requires a Senior Management Function holder to be held accountable for the firm’s MRM. This is designed to ensure the board is actively engaged in MRM and to set a suitable risk appetite. The supervisory statement sets policy requirements to contain all elements of the principles and the interaction with a firm’s broader risk management framework. There are expectations about defining roles and responsibilities for key staff and frequent interaction with a firm’s audit function. There is also a significant expectation that third party models will require the same level of assurance as internal models.

3. Model development and use

This principle defines a comprehensive set of requirements for process, data and assumption control, and documentation and testing that should be followed and evidenced for each model contained in a firm’s inventory.

4. Independent model validation

This principle highlights specific expectations for an independent validation function (IMV), and how independence is defined. The topics for review and validation are detailed and are broadly consistent with principle 3. IMV reviews must cover the theoretical design of the model (including data and assumptions), process verification to ensure the model works as intended and monitoring performance review.

5. Model risk mitigants

Clear expectations are provided on how firms mitigate model risk issues through the implementation, control and remediation of post-model adjustments. Requirements define that an MRM function must have the authority (or clear escalation route) to restrict the usage of a model or its outcomes, where a predefined threshold for model risk has been breached. This should be complemented by an exceptions/exclusions policy.

Impact on firms

The topics and themes presented in the consultation paper and supervisory statement should be familiar, at differing degrees, to most firms. However, these expectations, and in particular the broadening scope of MRM to include more model types, will require a significant increase in effort to establish a standalone MRM framework. MRM is already a considerable challenge for firms given the volume of work required to manage model risk effectively, combined with the specialist resource requirements for IMV. Smaller firms, particularly where MRM is less of a priority, must make decisive changes to embed model risk culture in the working practices of both senior management and technical staff.

Key challenges ahead

Necessarily, banks of different sizes and complexity will experience different challenges with this new regulation. That being said, all firms should prepare for the following specialist requirements:

    •    Updating existing risk frameworks to include all new requirements

    •    Ensuring all models are captured and appropriately tiered in accordance with the new definitions

    •    Identifying the need to engage suitably qualified experts, or train current staff, to fulfil the roles of MRM governance and validation.

    •    Demonstrating that the framework is effective by managing to a clear risk appetite and use of controls/mitigants

    •    Providing evidence that third party models have received the sufficient independent challenge to meet the expectations set in a firm’s own framework

    •    Remediation of any models that fall short of the new standards

    •    Improving model risk culture to ensure that an MRM function commands sufficient authority to operate effectively

The consultation paper is expected to conclude with the implementation of the supervisory statement in the first quarter of 2023. UK banks should already begin planning how they will address these key challenges.

The Financial Times would like to sponsor your first month’s subscription to Global Risk Regulator. To start your ‘no obligation’ trial please contact: ella.jacob@ft.com