AML Technology’s Impact for Mid-Market Depository Institutions
03/27/2019 by Eric Hale Financial Crimes
Depository institutions of all sizes are subject to the same BSA-AML regulations, but there has been a difference in how regulators have enforced these expectations as they went down the asset scale. Lately, regulators are increasing their expectations of mid-size institutions especially in the area of model validation and model risk governance, which impacts many aspects of the AML program. What do these changing expectations mean for mid-size institutions? Let’s start by focusing on the impacts of AML programs from OCC 2011-12, Supervisory, Guidance on Model Risk Management.
What is a Financial Model?
The OCC Supervisory Guidance on Model Risk Governance defined what a financial model is and detailed expectations for model use. This guidance has been adopted by the FDIC and other federal regulators. The OCC has defined a model as a “quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates, also covers quantitative approaches whose inputs are partially or wholly qualitative or based on expert judgment.” Model risk is the potential for adverse consequences from decisions based on incorrect or misused model outputs.
The two primary places models are found in an AML program are in transaction monitoring and customer risk ranking. Scenarios or rules used in transaction monitoring typically calculate amounts or counts of transactions meeting specified filter criteria, and then compare those calculated values against a threshold parameter triggers an event or alert. Customer risk-ranking models often assign scores to risk attributes. Those scores are aggregated to an entity, geography or product and services dimension. Dimension scores are aggregated to the customer level. The customer score is then banded across risk levels such as high, medium or low.
Both of these examples fit into the OCC definition of a model and therefore fall under the purview of model governance.
Compliance Expectations for Model Risk Governance for the AML Program
Financial Intuitions must establish resources as well as policies and procedures that are in line with the use of models and the specific risks they present to the institution. A larger, more complex organization typically makes greater use of models and has a more complex money laundering risk and therefore must create a robust organization structure to mitigate model risk and align with model risk governance expectations.
Responsibility for model governance starts with the board of directors who should establish an organizational approach to risk management. Senior management is ultimately responsible for ensuring the risk approach is executed. The business lines own model risk used to carry out operations and therefore must understand those risks and how they are being mitigated. The model risk taken by the business should be measured and controlled. The control function model risk associated with the AML model falls on two groups. It is the responsibility of the model risk department. Model development occurs within the BSA-AML organization. Internal audit ensures compliance with model risk policy and procedures.
Model Development and Use by the Organization
AML Models are developed with the BSA-AML department or by third-party vendors through engagement with the model risk department to mitigate money laundering risks specific to the financial institution. Model development starts with clear documentation regarding model purpose. Techniques and methodologies used in the model should be well established and referenceable. Model inputs, logic, output usage, assumptions and limits should be clearly documented so that the business line can understand how the model should be used.
A model should be tested to validate its components, overall functioning and whether the model is performing as intended. With AML transaction monitoring scenarios, inputs should be clearly documented. Any potential data quality issues should be raised and monitored so that issues can be flagged. There should be an empirical process to set an alerting threshold. This tuning process should be performed before the initial roll out and again on an annual basis moving forward. The other time that it should be performed is when there is a change in the input limits or assumptions have been updated. The tuning process should be documented and made available to the business line, model risk, internal audit and regulators.
Internal audit should ensure that the business line is using the models as intended and the model risk and BSA-AML departments should solicit business line feedback to improve and validate models.
How Effective Challenge can Guide Risk Management Models
The OCC defines effective challenge as a guiding principle for managing model risk, critical analysis by objective, informed parties who can identify model limitations and assumptions and produce appropriate changes. The OCC also assigns to senior management, the business line, internal audit and model risk the responsibility to ensure effective challenge. The responsibility for executing effective challenge is typically found in the BSA-AML department.
Effective challenge in AML transaction monitoring requires a micro and macro focus. Individual scenarios should be analyzed to ensure that the techniques used are meeting the model purpose and that those techniques are optimal for meeting that purpose. At a macro level, all the scenarios or rules that make up the transaction monitoring should be analyzed to identify overlap and gaps against existing and emerging risks.
Achieving effective challenge requires financial institutions to build an appropriate data architecture to feed analysis, establish a capable team of data analysts or data scientists and provide those resources with the appropriate tools to analyze risk coverage and present the results of that analysis to roles responsible for ensuring effective challenge.