Financial institutions face risk with modelsThe Survey of Model Risk Management, Vendor Model Validation, and Third-Party Model Risk covers the model risk management practices of North American banks ranging from $2 billion to $2 trillion in assets and explores in depth how financial institutions use and validate third-party models. Access the full survey here.
PHILADELPHIA, April 20, 2022 /PRNewswire/ — Financial institutions face a number of risks as they speed up digitization and rely more heavily on new technology to influence lending and other decisions, a new study of 62 banks by the Risk Management Association (RMA) has found.
“Banks increasingly use models to make decisions as well as to identify and measure risk, conduct stress tests, and perform other critical operations. This includes some powerful innovative practices like AI-driven models,” said Edward J. DeMarco, Jr., the head of Non-Financial Risk at RMA. “While this benefits customers by speeding credit decisions—and banks by making it easier to detect fraud—banks need to fully understand models and validate their accuracy to avoid creating more risk for their institutions.”
The Origins of Independent Model Risk Management
Model risk management developed in fits and starts with the evolution of quantitative modeling. Originally, most model controls were either traditional IT “change controls” that focused on robust implementation, or conceptual reviews by business-line senior managers who were in the direct chain of command.
By the early 1990s, risk management organizations in large trading banks and broker dealers recognized the value of an independent review. To start, in most firms, market risk managers primarily filled the role, part time. Market risk managers typically were relatively quantitative by training and had often come to risk management from stints in the front office.
Throughout our timeline of financial services modeling, model risk management always developed fastest after losses from particular model failures. Since the early days, as experience accumulated, episodic valuation and hedging mishaps have driven firms toward more systematic model controls.
The Watershed Moment: The Subprime Mortgage Crisis
The mortgage crisis of 2007 to 2009 is the crucial event that shaped model risk management as we now know it. As the mortgage market collapsed in the third and fourth quarters of 2007, it became clear that the models for rating and valuing mortgage collateralized debt obligations had played a material role. Losses were orders of magnitude larger than models projected. Valuation models broke down and, in many cases, failed to produce useful output during the height of the crisis. Going into the event, valuation models and historical prices fed capital models that produced probability-based loss numbers ludicrously below the losses realized on sub-prime mortgage securitizations. In sum, models developed and calibrated ex ante in benign markets failed to countenance the market conditions that eventuated. As a result, in the aftermath of the crisis, all quantitative modeling practices were in the regulators’ sights and became subject for reform.
In the wake of the mortgage crisis, the major prudential regulators were able to give the MRM guidance teeth by applying it actively in their oversight and examination activities. The guidance was used to structure their in-depth examinations of the major broker-dealers that became banks or were acquired by banks in the post- crisis reforms. The guidance became the framework for the examination of internal- model applications under the Basel capital rules, and a key component of the technical review of large banks’ Comprehensive Capital Analysis and Review (CCAR) stress-testing programs.
All large banks had to “up their game” in a very short time. Most increased their model risk management staff materially, established formal, documented model risk frameworks, and made their model risk management units independent and senior within the chief risk officer departments. The goal was to foster the stature needed to pose effective challenge and enforce modeling standards in the businesses and among model developers.
The scope of model uses expanded as well. Earlier model risk management emphasis tended to be on intensively used models in market, credit, asset-liability management, and liquidity risk at large commercial and capital markets banks. After things had stabilized in the wake of the subprime crisis and once the CCAR program was up and running, attention steadily expanded to cover the entire universe of models, encompassing models used in retail credit, operational risk, Bank Secrecy Act/Anti-Money Laundering monitoring, fraud detection, and myriad other processes needed to run a bank.
At the time of this writing, it is fair to say that the pace of modeling innovation has not slowed. The development of models and technology, which now include artificial intelligence and machine learning models and cover newly integrated risks like climate risk, present new challenges to MRM disciplines. Banks have an independent interest to continue investment in their model risk management capabilities, and, assuredly, the regulators will continue to press banks to integrate all new developments into their model risk frameworks.
Among the key findings:
- The top two challenges to expanding validation capabilities were talent (72%) and cost (63%).
- More than 70% of firms validate models every one to two years, a best practice. The rest validate models every three years.
- Nearly two-thirds of respondents said their model risk management (MRM) function reports directly into the chief risk officer, a sign of MRM’s growing stature.
RMA has established a Model Validation Consortium (MVC) to assist banks in validating the accuracy of models. More than 25 banks participate in the MVC.
“The increase in modeling comes at a time of growing concern about talent shortages in the financial industry, particularly in areas requiring technical skills such as model validation,” said Kevin D. Oden, founder and managing partner of Kevin D. Oden & Associates, a leading risk modeling validation company and RMA partner for RMA’s Model Validation Consortium. “This creates challenges for all banks but especially for community and mid-tier banks, as they often rely on third-party vendors to create models. Banks must verify that those models meet business needs and do not propagate errors or bias.”
About Risk Management Association (RMA)
Founded in 1914, the Risk Management Association is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk management principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk, and operational risk. Headquartered in Philadelphia, Pennsylvania, RMA has 1,600 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the Association by 31,000 individuals located throughout North America, Europe, Australia, and Asia/Pacific.
RMA brings financial institutions together through a series of consortia, councils, committees, and working groups on key issues. This includes RMA’s Climate Risk Consortia and the RMA Model Validation Consortium (MVC). Members of the MVC Advisory Council include Ally Bank, Forbright Bank, MUFG Bank, PNC Financial Services, U.S. Bank, and Zions Bancorporation.