BSA/AML Model Validation: Understanding Expectations and Balancing Reality

On April 4, 2011, the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency released Supervisory Guidance on Model Risk Management (MRM, SR 11-7) that provided expectations for managing “model risk” within banking organizations. The FDIC adopted SR 11-7 on June 7, 2017. Models, defined as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates,” are heavily relied upon to assist in such areas as asset/liability management, credit decisioning and budget forecasting. Model risk encompasses the potential financial and reputational risks associated with poor decision making based on inaccurate usage of the model or inaccurate data output.

The guidance notes that a bank’s model risk management framework should be more “extensive and rigorous” when the model materially impacts business decisions, or the absence of the model could have a harmful impact on a bank’s financial condition. An initial and periodic model validation is noted as a key element to ensuring the model is performing in line with business objectives.

Do You Have a BSA/AML Model?

On April 9, 2021, the federal banking agencies, in consultation with the Financial Crimes Enforcement Network (FinCEN) and the National Credit Union Administration (NCUA), elaborated upon the previous guidance by releasing Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance (MRM BSA, SR 21-8). The expanded guidance clarified that some BSA/AML systems would meet the definitions of “model”, as previously noted, yet others may not.

The original guidance (MRM, SR 11-7) notes the following three components of a model:

1.         An information input component, which delivers assumptions and data to the model.

2.         A processing component, which transforms inputs into estimates.

3.         A reporting component, which translates the estimates into useful business information

Using that framework, the guidance notes that “stand-alone, simple tools that flag transactions based on a singular factor” (e.g. cash transactions over $125k, aggregated cash reports for Currency Transaction Reports) would likely not be considered a model. Conversely, third-party BSA/AML monitoring solutions used for compliance-related activities, such as currency transaction reporting, monitoring transactions, detection of suspicious activity, or suspicious activity reporting, would most likely constitute a model.

Do You Need a BSA/AML Model Validation?

Model validations attempt to verify that models are performing as expected, in line with their design objectives and business uses. While a model validation is not a legal requirement, the guidance (MRM, SR 11-7) states, “Banks should conduct a periodic review—at least annually but more frequently if warranted—of each model to determine whether it is working as intended and if the existing validation activities are sufficient.”

The guidance (MRM, SR 11-7) notes, “It is not expected that this guidance will pertain to FDIC-supervised institutions with under $1 billion in total assets, unless the institution’s model use is significant, complex, or poses elevated risk to the institution.” Institutions that attempt to take advantage of the efficiencies built into third party BSA/AML monitoring solutions can often form a heavy reliance upon the models being used and should measure the need for a model validation on the magnitude of the reliance, not on their asset size.

We’re Here to Help

Regardless of how a BSA/AML system is formulated, implementing sound risk management is crucial. Banks are encouraged to incorporate the Supervisory Guidance when establishing their risk management frameworks. At CRI, we are well-versed in the diverse methods banks employ—whether through automated models or in conjunction with manual processes—to fulfill the requirements of an effective BSA/AML compliance program. If you have any questions or require assistance in understanding or applying this guidance, contact your CRI advisor. We are here to provide expert support and ensure your compliance strategies are robust and effective.