PRA Model Risk Management Principles

May 2024

The PRA's Model Risk Management (MRM) principles for banks are now live — see below for more on the requirements and how firms should be addressing them. 

The five principles set out in SS1/23 came into force on 17 May 2024 and will initially apply to banks, building societies and PRA-designated investment firms with approval to use internal models (IM) for regulatory capital purposes.  

Although the principles only apply to firms with existing IM permissions, they may well set the benchmark for model governance across all industries and sectors in the future. It is understood that many UK firms that are currently not in scope, including insurance firms, are planning to adopt the principles with an acknowledgement that a significant amount of MRM uplift may be required to comply with SS1/23 in a proportionate manner.

The principles cover all elements of the model lifecycle, from model development and validation to performance monitoring and model risk reporting. They also apply to all types of models, including financial reporting models, as well as material and complex deterministic quantitative methods (DQMs) used to inform key business decisions, risk management and financial reporting. 

Since the publication of SS1/23 in May 2023, in-scope firms have performed self-assessments against the five principles at a granular, line by line level. On the back of these self-assessments, they have devised remediation plans mapped to the gaps identified. The plans typically run over a multi-year time horizon of two to three years.

Whilst significant improvements have been made across the industry since SS1/23 landed, many firms recognise there is still work to be done across several MRM themes, including, but not limited to:

• Identification, documentation and risk-tiering of DQMs
• Model governance uplift, including model risk policies and standards
• Enhancement of model risk tiering dimensions across all model families
• Development of comprehensive model inventories
• Setting clear model risk appetite measures and monitoring techniques
• Expectation that all models and material and complex DQMs would require validation

Taking DQMs as an example — identifying and incorporating DQMs within the scope of formal governance is likely not only to stretch existing teams, but also require new governance and operational structures to be established. All the examples above will need to be supported by policies, standards and procedures that either need to be reviewed or produced for the first time to ensure that the principles are embedded appropriately. 

Based on what we have heard in our industry discussions, it is likely that the interpretation of some principles may also differ across firms. A coordinated industry approach will be needed to identify and implement good practices in a consistent and proportionate manner. 

In addition, SS1/23 will not only require relevant teams to be resourced with distinct skillsets but will also demand a cultural shift in many cases to ensure MRM is appropriately embedded as a 'risk in its own right 'across all three lines of defence. The requirements for model owners and model users will help drive greater collaboration with model developers and validators, as both are expected to have a closer understanding of the modelling work involved.

In the past week, several large banks have submitted their self-assessments and remediation plans to the PRA. At the PRA's request, some banks will need to provide further information over the coming months around their MRM frameworks, policies, standards and other relevant MRM governance documents.

Many in-scope firms have established SS1/23 compliance programmes to drive the implementation of SS1/23 remediation plans. Robust governance will need to be in place to ensure these plans gain sufficient traction and momentum, with the appropriate oversight at the MRM Committee and Board levels. 

We expect new gaps to be identified over time as, for example, new model categories and DQMs emerge. Therefore, remediation plans should be sufficiently flexible to adapt accordingly. First line responsibilities are also expected to increase, particularly for less mature model families such as financial crime.

Given the size and model landscapes of the in-scope firms, we might expect the PRA to commission MRM firm-specific or thematic s166s once the review of self-assessments and remediation plans are complete. 

For more on the implications of the PRA's principles and to discuss your requirements, contact us: