The PRA has published its Policy Statement (PS6/23) on Model Risk Management. The policy and accompanying Supervisory Statement (SS1/23) come into force on 17 May 2024.
The definition of a model and the high-level principles have not changed from the consultation paper (CP6/22). Changes to the detailed content of the principles generally reduce prescriptiveness and increase the proportionality of requirements, although there is one significant change: the policy will only initially apply to banks with an internal model approval for regulatory capital purposes. Once it has progressed its policy on Simpler-regime firms, the PRA will clarify how the policy on MRM will apply to banks without internal model approvals, although it notes that all firms, regardless of size, are expected to manage the risks associated with models where they are used.
Implementing the changes required to comply with the supervisory statement will be a challenge for modelling teams and model governance processes that are already under considerable pressure. Banks that are able to identify common requirements that can be delivered across multiple modelling workstreams will be best placed to implement the model risk management principles as well as the wide range of modelling work already under way.
Audience: Chairs of Board Audit and Board Risk committees, CROs, CFOs, heads of model risk, model owners/sponsors, model users, model developers, model validators, heads of internal audit.
In June 2022 the PRA published CP6/22, its consultation on Principles for Model Risk Management (MRM). The PRA’s core concern driving the publication of the principles is that senior executives and Boards are not fully aware of the extent to which models drive management decisions in banks. The CP proposed five principles for MRM, along with a very broad definition of what constitutes a model for the purposes of the principles.
Figure 1 shows the PRA’s definition of a model from the Supervisory Statement, and the high-level description of the five principles for MRM, none of which is materially changed from the CP. A more complete assessment of the CP can be found in our previous blog.
Figure 1: MRM Principles per SS 1/23
The PRA received considerable feedback from industry in response to the CP and has reflected that in the Policy and Supervisory Statements.
The most significant change in the Supervisory Statement is in the scope of application, as the policy will only initially apply to banks with internal model (IM) approvals for regulatory capital purposes when it comes into force in May 2024. Banks that are applying to become IM banks will have 12 months from the date of approval of their IM application to demonstrate compliance with the principles.
The PRA will update the industry as to how the principles will apply to non-IM banks once it has progressed its policy work on Simpler-regime firms, albeit the PRA notes that all firms, irrespective of size, are required to manage their model risks and that non-IM firms which are subject to existing supervisory expectations around models (such as self-assessments and attestations) should continue to comply with them.
Changes to the content of the policy predominantly see the PRA stepping back from the somewhat prescriptive nature of the CP and allowing banks greater scope to interpret some of the requirements with proportionality to their own business complexity and size. This was a common theme in the feedback the PRA received.
However, less regulatory prescription inevitably means reduced clarity as to what constitutes a compliant approach: industry and the PRA will likely have ongoing conversations on this point, particularly in respect of where the definition of a model stops, and whether banks’ assessments of a proportional implementation are sufficiently rigorous.
The content changes the PRA has made to its original proposals include:
The PRA noted in the Policy Statement that it received considerable feedback on the application of the principles to Artificial Intelligence and Machine Learning (AI/ML) models, in particular:
The PRA observed that there are similarities between the feedback received from CP6/22 on MRM and that received on DP5/22, the joint Bank of England/PRA/FCA discussion paper on the use of Artificial Intelligence and Machine Learning in financial services. The PRA notes that it will assess the feedback from DP5/22 as well as the responses to the 2022 Machine Learning Survey to inform any further policy actions.
In the meantime, as there is no specific reference to AI/ML in the supervisory statement, banks should proceed on the basis that the MRM principles will apply in full to AI/ML models that meet the PRA’s definition, absent further policy publication by the PRA.
Banks with existing IM permissions already have significant ongoing effort in their modelling teams, with work underway in several areas, including:
Banks will have to address a number of challenges in meeting their obligations around MRM:
The PRA sees model risk as a risk that should be treated in the same way as other material risks in banks: it should be part of risk appetite and should be monitored and managed as seriously as any other material risk. The PRA’s intent in putting the principles for MRM into the supervisory framework is to drive a change in banks’ culture around MRM.
The policy comes into force on 17 May 2024, one year from the date of publication.