PRA model risk management principles

The PRA's May 2023 policy statement (PS6/23), incorporating Supervisory Statement (SS) 1/23, addresses feedback to the 2022 consultation on model risk management (MRM)— see our article here — and sets out the final requirements for an effective MRM framework for banks in the UK.

As noted in our earlier article, poor quality model submissions, issues with IFRS9 and a general reluctance to invest and bolster MRM functions in the UK highlighted the increasing need for sound model governance and effective MRM practices. Models and scenario analysis are a key component of banks' decision-making, risk management and reporting, and reliance on them is growing, as is the use of more sophisticated modelling techniques (including AI (Artificial Intelligence) and ML (Machine Learning) techniques).

CP6/22 (published in June 2022) set out five key MRM principles for banks and these are retained in PS6/23. The principles are intended to help raise the standard of MRM practices at UK firms, support the safe adoption of developing technologies and ensure consistency of approaches across firms:

1. Model identification and model risk classification: firms should have an established definition of a model that sets the scope for MRM, a model inventory, and a risk-based tiering approach to categorise models to help identify and manage model risk. 
2. Governance: firms should have strong governance oversight with a board that promotes an MRM culture from the top through setting clear model risk appetite. The board should approve the MRM policy and appoint an accountable individual to assume responsibility for implementing a sound MRM framework that will ensure effective MRM practices.
3. Model development, implementation and use: firms should have a robust model development process with standards for model design and implementation, model selection, and model performance measurement. Testing of data, model construct, assumptions, and model outcomes should be performed regularly in order to identify, monitor, record, and remediate model limitations and weaknesses.
4. Independent model validation: firms should have a validation process that provides ongoing, independent, and effective challenge to model development and use. The individual or body within a firm responsible for the approval of a model should ensure that validation recommendations for remediation or redevelopment are actioned so that models are suitable for their intended purpose.
5. Model risk mitigants: firms should have established policies and procedures for the use of model risk mitigants when models are under-performing and have procedures for the independent review of post-model adjustments.

While retaining the five original principles, PS6/23 includes the following amendments, based on further considerations of scope and industry feedback:

• Scope: to ensure proportionate implementation of the principles, the PRA has narrowed the scope of expectations to apply only to internal model (IM) firms only, whilst it finalises the definition of a `simpler-regime firm'. Once this is agreed, the PRA will provide an update on the approach for all other firms— for more on the simpler regime consultation see our analysis here. Transitional implementation guidelines have also been added for firms that are granted IM permissions for the first time. Transitional arrangements will be reviewed once the approach for all other firms has been updated.
• Senior Management Function (SMF) accountability: the PRA reinforces the importance of SMF overall accountability for the MRM framework and clarifies that this will be “additional and complementary” to the responsibilities of SMF holders for business, risk and control functions. Firms will be able to appoint more than one SMF — this is a positive step, appropriately reflecting the need for effective coordination of MRM work across multiple areas such as modelling, data, finance, etc.
• Financial reporting: the SS has been amended to make it clear that the PRA does not intend the remit of the Audit Committee to be widened — it expects that a report on MRM effectiveness will be made available to the committee on a regular basis to support members in discharging their duties.
• Model tiering: the PRA has made the wording around model tiering less prescriptive, enabling firms to select the relevant factors to determine model complexity — this recognises the differences in model complexity across firms.
• Post model adjustments: the PRA has also recognised the strategic nature of post model adjustments (PMAs) and the associated need for a proportional treatment to ensure their use is not disincentivised. Again, this is a positive move and will support banks' response to events that cannot be adequately captured by models.
• Subsidiaries: there is clarification that subsidiaries using models developed by the parent-group may leverage the outcome of the group's validation of the model if certain conditions are satisfied.
• Dynamic recalibration: the PRA further clarifies its expectations in respect of ensuring that the sum of changes coming from dynamic recalibrations are assessed over a sufficiently long period of time to ascertain whether any model interventions are required.
• Model documentation: clarification of expectations for documentation of vendor models — the PRA expects firms to ensure that the level of detail in the documentation of third party vendor models is sufficient to validate their use. This is in line with current requirements and expectations such as Internal Ratings Based (IRB) approaches for credit risk MRM principles for stress testing models.
• Escalation processes: modifications to Principle 5.3 to be less prescriptive — escalation processes should be determined by firms.

Lastly, there was broad agreement in feedback that the principles are sufficient to identify, manage, monitor, and control the risks associated with AI/ML models, but that model risks could be further amplified if a robust, firm-wide approach to AI/ML governance and controls is not designed and implemented appropriately. The PRA, BoE and FCA are still analysing responses to their Discussion Paper on AI (DP5/22) — see our article here. The PRA will consider the outcome of this analysis, together with the results of the 2022 machine learning survey and feedback on MRM, when deciding on further policy actions.

PS6/23 will take effect from 17 May 2024. Firms that first receive permission to use an internal model to calculate regulatory capital after the publication of PS6/23 will have 12 months to comply with expectations. Firms may have significant work to do to bring their model risk approaches into line with the new expectations.