Mid-Market Banks Need Appropriate AML Data Models
03/27/2019 Financial Crimes
03/27/2019 Financial Crimes
Financial institutions of all sizes are subject to the same BSA-AML regulations. There has been a difference in how regulators have enforced these expectations as they went down the asset scale. Lately, regulators are increasing their expectations of mid-size institutions, primarily in the area of model validation and model risk governance.
What do these changing expectations mean for mid-size institutions? Let’s start by focusing on the impacts of anti-money laundering (AML) programs from OCC 2011-12, Supervisory, Guidance on Model Risk Management guidelines.
The OCC Supervisory Guidance on Model Risk Governance defined what a financial model is and detailed expectations for model use. The FDIC and other federal regulators have adopted this guidance.
The OCC has established a model as a “quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates, also covers quantitative approaches whose inputs are partially or wholly qualitative or based on expert judgment.”
Model risk is the potential for adverse consequences from decisions based on incorrect or misused model outputs. The two primary places models are found in an AML program are in transaction monitoring and customer risk ranking.
Scenarios (or rules) used in transaction monitoring typically calculate dollar amounts or counts of transactions meeting specified filter criteria. They then compare those calculated values against a threshold parameter. If this threshold parameter is met then this triggers an event or alert.
Customer risk ranking models often assign scores to risk attributes. Those scores are aggregated to an entity, geography or product and services dimension. Dimension scores are aggregated to the customer level. The customer risk rating is then banded across risk levels such as high, medium, and low.
Both of these examples fit into the OCC definition of a model and therefore fall under the purview of model governance.
Financial institutions must allocate resources as well as policies and procedures that are in line with the use of models and the specific risks they present to the institution. A larger business makes greater use of models and has a more complex money laundering risk. Therefore they must create a robust organizational structure to mitigate risk and align with model risk governance expectations.
Responsibility for model governance starts with the board of directors who should establish an organizational approach to risk management. Senior management is ultimately responsible for ensuring the risk approach is executed.
The business lines own model risk so they must understand those risks and how they are being mitigated. Model development occurs within the BSA-AML department. Internal audits ensure compliance with model risk policy and procedures.
AML models are developed within the BSA-AML department or by third-party vendors through engagement with the model risk department. Model development starts with clear documentation regarding model purpose. Techniques and methodologies used in the credit risk model should be well established and documented. Model inputs, logic, output usage, assumptions, and limits should be clearly documented so that the business line can understand how the model should be used.
A model should be tested to validate its components, overall functioning, and whether the model is performing as intended. With AML transaction monitoring scenarios, inputs should be clearly documented. Any potential data quality issues should be raised and monitored so that issues can be flagged.
There should be an empirical process to set an alerting threshold. This tuning process should be performed before the initial rollout and again on an annual basis moving forward. The other time that it should be performed is when there is a change in the input limits or assumptions have been updated. The scenario tuning process should be documented and made available to the business line, model risk, internal audit, and regulators.
Internal audit should ensure that the business line is using the scenario models as intended. The model risk and BSA-AML departments should solicit business line feedback to improve and validate these models.
The OCC defines the effective challenge as a guiding principle for managing model risk, critical analysis by objective, informed parties who can identify model limitations and assumptions and produce appropriate changes.
Also, the OCC assigns to senior management, the business line, internal audit, and model risk the responsibility to ensure effective challenge. The responsibility for executing effective challenge is typically found in the BSA-AML department.
AML transaction monitoring requires a micro and macro focus. At micro-level each scenari0 should be analyzed to ensure that the techniques are meeting the model purpose. Those techniques are analyzed as optimal for meeting that purpose. At a macro level, all the scenarios or rules that make up the transaction monitoring should be analyzed to identify overlap and gaps against existing and emerging risks.
Achieving effective challenge requires financial institutions to build an appropriate data architecture to feed analysis, establish a capable team of data analysts or data scientists and provide those resources with the proper tools to analyze risk coverage and present the results of that analysis to roles responsible for ensuring effective challenge.