PRA consults on Model Risk Management

The PRA has published its long-awaited consultation (CP) and a draft supervisory statement (PDF 949KB) on model risk management principles for banks.

The principles contain the key elements that the PRA considers necessary in an effective model risk management (MRM) framework and would be relevant for all regulated UK-incorporated banks, building societies and PRA-designated investment firms. Responses are requested by 21 October.

KPMG welcomes the CP and the proposals contained therein. For too long MRM has been undervalued despite the ever increasing usage and complexity of models. The PRA has set out sensible and considered principles that will help strengthen the governance and understanding of model risk across UK financial services firms. Whilst a lot of the content is not ground-breaking per se and largely builds upon best global practices, the requirements for Senior Manager accountability, Financial Reporting Audit requirements and future-proofing through the inclusion of AI and ML will certainly raise some eyebrows — both positively and negatively.

Poor quality model submissions, issues with IFRS9 and a general reluctance to invest and bolster MRM functions in the UK (as evidenced by recent reviews) have highlighted the increasing need for sound model governance and effective MRM practices. Models and scenario analysis are a key component of banks' decision-making, risk management and reporting, and reliance on them is growing, as is the use of more sophisticated modelling techniques (including AI and ML techniques).

The proposed principles are intended to help raise the standard of MRM practices at UK firms, support the safe adoption of developing technologies and ensure consistency of approaches across firms. The PRA would like to see firms take a strategic approach to MRM “as a risk discipline in its own right”.

The PRA has proposed five core principles to be adopted by firms:

1) Model identification and model risk classification — firms to have an established definition of a model that sets the scope for MRM, a model inventory, and a risk-based tiering approach to categorise models to help identify and manage model risk.

2) Governance — firms to have strong governance oversight with a board that promotes a MRM culture from the top through setting clear model risk appetite. The board should approve the MRM policy and appoint an accountable individual to assume responsibility for implementing a sound MRM framework.

3) Model development, implementation and use — firms to have a robust model development process with standards for model design and implementation, model selection, and model performance measurement. Testing of data, model construct, assumptions, and model outcomes to be performed regularly in order to identify, monitor, record, and remediate model limitations and weaknesses.

4) Independent model validation — firms to have a validation process that provides ongoing, independent and effective challenge to model development and use. The individual or body within a firm responsible for model approval should ensure that validation recommendations for remediation or redevelopment are actioned so that models are suitable for their intended purpose.

5) Model risk mitigants — firms to have established policies and procedures for the use of model risk mitigants when models are under-performing, and also procedures for the independent review of post-model adjustments (PMAs). 

The principles cover all elements of the model lifecycle and would apply to all types of models used to inform key business decisions, whether developed in-house or externally (including vendor models), including models used for financial reporting purposes and models using AI and ML techniques.

The CP is relevant to all firms in the wider banking sector and their external auditors. Credit unions, insurance, and reinsurance firms are out of scope — the PRA will consider at a later date whether MRM practices need to be strengthened for insurers. The proposals would not apply to third-country firms operating in the UK through a branch, however the PRA notes that those firms might find them useful and could consider using them to manage their model risk.

The proposals have been designed with existing and future policy in mind. They are intended to complement and accommodate current requirements, such as those set out for credit, counterparty credit and market risk (including IMM, IRB, PRA guidance on market risk and stress testing, and Basel Committee guidance on credit risk and accounting for expected credit losses). They are also broad enough to accommodate developments in, for example, AI and MI.

The proposals do not replace any existing regulatory or supervisory requirements although it is possible that frameworks may be rationalised in the future.

The principles would be applied proportionately based on the size, business activities, and the complexity and extent of firms' model use.
Within firms, the framework should also be applied proportionately, in line with the risk tier assigned to each model.

Simpler-regime firms, as defined by the PRA in CP5/22 (PDF 444KB), should apply principle 1 in full and the basic elements of principle 2. They would only be expected to apply principles 3, 4 and 5 to material and/or complex models — these models would likely be limited in number.

Responsibility for the overall MRM framework would be allocated to the most appropriate SMF holder, using a centralised approach — in many cases this may be the SMF4 Chief Risk Officer Function. The PRA notes that the appointment of an accountable individual would not relieve risk and control functions of their respective responsibilities in relation to model use and development.

Engagement and participation of senior management and boards would be expected in MRM governance processes, including in challenging model outputs.

The PRA proposes that firms report on the effectiveness of MRM for financial reporting to their audit committee on a regular basis — at least annually — to facilitate effective audit planning.

The engagement of external auditors can be beneficial where supervisors are able to make use of their work when reviewing firms' MRM.

• The consultation will close on 21 October 2022.
• The PRA proposes that the principles should be implemented 12 months after publication of the final supervisory statement. In practice, this is likely to be Q4 2023 or Q1 2024.
• By the implementation date, the PRA proposes that firms will have carried out a self-assessment against the principles and prepared remediation plans to address any shortcomings:
  • Self-assessments should then be updated annually with remediation plans also reviewed and updated on a regular basis. Self-assessment findings and remediation plans should be shared with firms' boards. Simpler-regime firms will be able to select a frequency that is less than annual for subsequent self-assessments.
  • A board-appointed accountable individual for MRM will be responsible for ensuring remediation plans are in place with clear ownership for any actions needed.
  • Firms would not be expected to share the remediation plans or self-assessment routinely with the PRA but should be able to provide them upon request.