Model Risk Management: Revised Interagency Guidance

The Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) (collectively, “agencies”), issued revised interagency guidance on model risk management. The revised guidance is intended to clarify model risk management principles and to set forth a risk-based approach to model risk management.  

Notably, the agencies state that the guidance does not set forth enforceable standards or prescriptive requirements and that noncompliance will not result in supervisory criticism. However, the agencies caution that supervisory action may result from any violations of law or unsafe or unsound practices stemming from insufficient management of model risk.

The key principles for effective model risk management include:

• Model Risk Assessment
• Model Development and Model Use
• Model Validation and Monitoring
• Governance and Controls
• Vendor and Third-Party Products

Highlights for each of these principles are outlined below.

Supervisory Guidance on Model Risk Management

The interagency guidance updates prior supervisory expectations to reflect changes in technology, industry practice, model use, and supervisory experience. It is expected the guidance will be “most useful” for models supporting a banking organization’s “significant” business lines, operations, services, and functions. Further, the agencies suggest the guidance:

• Sets forth a risk-based approach to model risk management, tailored to a banking organization’s model risk profile and the size and complexity of its operation.
• Is expected to be most relevant to banking organizations with over $30 billion in total assets, though it may be relevant to smaller banking organizations that have “significant” exposure to model risk because of the prevalence and complexity of their models or because of activities outside the scope of traditional community banking.
• Defines an applicable “model” as a “complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates;” this includes AI models but not generative or agentic AI models.

Model Risk Assessment: Model risk is influenced by a model’s inherent risk (increasing with complexity and the number of assumptions) and materiality, which is a combination of exposure (increasing with business impact) and purpose (involving the nature and importance of the model’s use – e.g., regulatory requirements, financial risk exposure, and business decision-making).

Model risk management includes:

• Assessing models individually and in the aggregate, which reflects interconnectivity among models.
• “Effective challenge” by independent individuals with appropriate expertise and organizational standing/influence.
• Considering the broader business risks that the model supports or influences.

Model Development and Model Use: Sound model development activities are aligned with model purpose, business use, and banking organization policy. “Effective” development and use processes include:

• A statement of purpose to support decision-making over the lifecycle (e.g., data, methodology, testing).
• Testing rigor commensurate with model complexity and materiality, conducted by model developers and users.
• Understanding model limitations with ongoing performance assessments, as well as considering additional analyses and controls when using a model beyond its intended purpose.

Model Validation and Monitoring. Validation is intended to identify model limitations and errors and to clarify appropriate use and potential need for corrective actions. It generally occurs prior to a model’s first use though the timing, nature, and frequency of validation activities may vary based on model purpose, model methodology, frequency and scope of model changes, data limitations, and other practical constraints. The components of validation include:

• Conceptual soundness of the model design (e.g., assumptions, qualitative judgments, data selection), construction (e.g., interpretability measures, benchmarking), and testing (including the quality and extent of developmental testing).
• Outcomes Analysis of the model in contrast to real-word outcomes.

Model monitoring provides opportunity to evaluate the extent to which a model is performing as expected given potential changes in products, exposures, activities, clients, data relevance, or market conditions.

Governance and Controls. All components of the model lifecycle benefit from model governance, supported by “clear policies and effective controls.” The extent and sophistication of model usage, including the size and complexity of the banking organization, inform model governance. Sound governance practices include:

• Roles and Responsibilities with clear and well-defined accountability, including conflicts of interest, with delineation of individual(s) responsible for key activities throughout the model lifecycle. For banking organizations that use external resources, proper oversight and integration into the broader model risk management activities is key.
• Model Inventory including a comprehensive set of information for models in development and in use to understand the individual model risks and effectively support risk management at the individual and aggregate levels.
• Documentation to adequately track recommendations, responses, exceptions and effectively manage model changes/updates and remediation efforts.

Vendor and Third-Party Products. An important element of model risk management is the validation of vendor products. The guidance reaffirms that vendor and third-party models are subject to the same model risk management principles as internally developed models.

Sound practice includes:

• Understanding the vendor model (including conceptual soundness, design, development data, and performance).
• Conducting ongoing monitoring and outcome analysis to assess whether the vendor models remain accurate, fit for purpose, and reliable.
• Documenting and evaluating any adjustments made to vendor model outputs.

Existing guidance superseded and replaced by the revised guidelines: