On April 9, 2021, U.S. federal regulators issued an Interagency Statement addressing the application of existing model risk management guidance (MRMG) to systems or models used by banks to comply with Bank Secrecy Act (BSA) laws and regulations.1 The agencies simultaneously issued a Request for Information and Comment from interested parties on the extent to which the principles outlined in the MRMG help banks comply with U.S. BSA/anti-money laundering (AML) and Office of Foreign Assets Control (OFAC) requirements.2 The agencies are seeking feedback from the industry to better understand bank practices in these areas and to determine whether additional guidance may be necessary. Banks should take advantage of this invitation by submitting comments to their respective supervisory agency, which are due by June 11. On March 31, 2021 U.S. federal regulators also asked industry to provide information and comments—due June 1—on their use of artificial intelligence (AI), including machine learning, their views on the appropriate governance, risk management, and controls over AI, and any challenges in developing, adopting, and managing AI approaches. AI is a technology that underpins many innovative approaches to BSA/AML compliance.3 The responses to both requests will likely be used to inform rules that the Anti-Money Laundering Act (AML Act) of 2020 requires the Department of Treasury to establish standards for the testing and validation of technology used to comply with BSA requirements.
Background on the MRMG’s Applicability to Financial Crimes Compliance
The MRMG was adopted in 2011, replacing earlier guidance from 2000. Banks routinely use models—which the MRMG defines as “quantitative method[s], system[s], or approach[es] that appl[y] statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates”4—for a variety of purposes outside of BSA/AML/OFAC compliance, such as underwriting credit and determining capital and reserve adequacy. The MRMG focuses on how banks can assess, measure, and manage the risk inherent in these models, for example through testing and validation.
- Although the MRMG, as supervisory guidance, does not have the force and effect of law, financial institutions often apply costly and complex model calibration, testing, and validation standards to elements of their BSA/AML/OFAC compliance approaches to meet what they believe are the expectations of examiners. The application of the MRMG to BSA/AML/OFAC compliance has been controversial within the industry, and the Bank Policy Institute has called on federal banking agencies to clarify that MRMG does not apply in the context of non-financial models such as those used for sanctions screening.5
- The adoption of innovative approaches toward BSA/AML compliance, and particularly transaction monitoring, that incorporate AI can further complicate model validation. As the “Request for Information and Comment on Financial Institutions’ Use of Artificial Intelligence, Including Machine Learning” states, certain AI approaches are less transparent and explainable, making it more difficult to use traditional model validation methods related to, for example, establishing conceptual soundness.
- The AML Act requires the Department of Treasury to issue a rule that specifies the standards for testing the technology and internal processes that are used to comply with the BSA, such as transaction monitoring systems. The rule should account for innovative approaches such as artificial intelligence and machine learning, and the AML Act requires the Federal Financial Institutions Examination Council to update its BSA/AML Examination Manual to ensure that examinations of these models and systems are consistent with Treasury’s rule.
Key Points from the Interagency Statement
The Interagency Statement intends to clarify how the risk management principles outlined in the MRMG relate to systems or models that banks use to comply with BSA/AML/OFAC obligations.6 The interagency statement notes that although some BSA/AML systems may constitute models based on the definition in the MRMG, others may not. Importantly, the determination of whether a BSA/AML system constitutes a model should be made on a bank-specific basis, drawing on all relevant information. Further information in the Interagency Statement that is intended to clarify the applicability of the MRMG to financial crimes compliance includes:
- The Interagency Statement states that standalone, simple tools that flag transactions based on a singular factor—such as reports that identify cash, wire transfer, or other transaction activity over certain value thresholds—as well as systems used to aggregate cash transactions across the bank’s branches for purposes of filing a Currency Transaction Report (CTR) likely would not be considered models under the MRMG.7
- The Interagency Statement also clarifies that there is no specific organizational structure required for oversight of BSA/AML systems by a bank. Such oversight could be conducted solely by the bank’s compliance function, a model risk management group, another functional area, or some combination of these functions.8
The Interagency Statement notes that some, but not all, automated transaction monitoring systems may involve the use of modeling.9 In all cases, however, prudent risk management involves periodically reviewing and testing the filtering criteria and thresholds to ensure that they are effective, as well as independently validating the monitoring system’s methodology and effectiveness to ensure that the monitoring system is detecting potentially suspicious activity.10
- Model reviews and validations should be performed with a frequency appropriate for, or when there are changes to, a bank’s risk profile. BSA/AML risk profile changes may include new or revised bank products, services, customer types, or geographic locations, or if the bank expands through mergers and acquisitions.11
- The Interagency Statement clarifies that there is no requirement that a bank perform duplicative independent testing activities for BSA/AML and model validation purposes. Rather, the principles for risk management set forth in the MRMG “provide a framework that can be used to help support an effective BSA compliance program,” including BSA/AML independent testing.12
- The extent and nature of model risk varies across models and banks. Whether changes to a model require the model to be revalidated—or revalidated with respect to some but not all model components—will depend on the nature and materiality of the changes and the associated risks.13
Sound model validation processes include the evaluation of conceptual soundness, ongoing monitoring, and outcomes analysis. For banks that use models to comply with BSA/AML requirements, validation should be performed by individual(s) with sufficient expertise and an appropriate level of independence from the model’s development and implementation.14 Certain aspects of the Interagency Statement attempt to acknowledge the differences between financial crimes compliance models and systems and those related to traditional financial functions such as underwriting.
- The Interagency Statement recognizes that the objectives and structure of BSA/AML models may differ from those in other business units. For example, a bank may choose to accept a reduction in efficiency—such as by producing more alerts, which in turn requires more investigative resources—in exchange for greater coverage in its automated transaction monitoring system.15
- BSA/AML models may also require more rapid adjustments based on risk, and the testing and validation of BSA/AML models may not include the same techniques as other models where, for example, complete information about the outcomes of suspicious activity reporting is not available.16
- Finally, the Interagency Statement emphasizes the importance of conducting due diligence and ongoing monitoring with respect to third-party models used for BSA/AML compliance purposes, such as CTR reporting and suspicious activity monitoring and reporting.17
Request for Information and Comment and Suggested Topics for Commenters
The Request for Information and Comment invites interested parties to comment on any aspect of the relationships between BSA/AML and OFAC compliance and the principles conveyed in the MRMG, including how those principles may support compliance and any differences in perception regarding their application.18 Much like the recent Advance Notice of Proposed Rulemaking issued by FinCEN seeking high-level industry input on questions related to implementation of regulations required under the AML Act of 2020 to establish a national beneficial ownership database, responses to this Request for Information and Comment are likely to be used in shaping new rules required under the AML Act, providing an important opportunity for industry input.
- Commenters are invited to address any matters related to BSA/AML or OFAC compliance and the principles conveyed in the MRMG. However, the agencies specifically request responses to 12 questions regarding the application of BSA/AML and OFAC models, both in individual banks and as common practice across the industry as a whole.19
- The agencies request that, where possible, comments include:
- Specific discussion of any suggested changes to guidance or regulation, including, in as much detail as possible, the nature of the requested change and supporting data or other information on impacts, costs, and benefits; and
- Specific identification of any aspects of the agencies’ approach to BSA/AML and OFAC compliance as it relates to MRMG that are working well and those that could be improved, including, in as much detail as possible, supporting data or other information on impacts, costs, and benefits.20
1 Board of Governors of the Federal Reserve System (Federal Reserve), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC), “Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance” (hereafter, “Interagency Statement”), April 9, 2021, available at: https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20210409a2.pdf. The Interagency Statement was issued in consultation with the Financial Crimes Enforcement Network (FinCEN) and the National Credit Union Administration (NCUA).
2 OCC, Federal Reserve, FDIC, NCUA, and FinCEN, “Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements” (hereafter “Request for Information and Comment”), April 12, 2021, available at: https://www.federalregister.gov/documents/2021/04/12/2021-07428/request-for-information-and-comment-extent-to-which-model-risk-management-principles-support.
3 Office of the Comptroller of the Currency, “Artificial Intelligence: Request for Information on Financial Institutions' Use of Artificial Intelligence, Including Machine Learning,” March 31, 2021, available at: https://www.occ.gov/news-issuances/bulletins/2021/bulletin-2021-17.html.
4 Interagency Statement, at 3.
5 Bank Policy Institute, “Reforming the U.S. Sanctions Regulatory Regime: How a Smarter, Risk-Based Approach Can Make Sanctions More Effective,” December 9, 2020, available at: https://bpi.com/reforming-the-u-s-sanctions-regulatory-regime-how-a-smarter-risk-based-approach-can-make-sanctions-more-effective/#_ftn11.
6 Interagency Statement, at 3.
7 Interagency Statement, at 3.
8 Interagency Statement, at 3.
9 Interagency Statement, at 2.
10 Interagency Statement, at 3-4.
11 Interagency Statement, at 3 n. 7.
12 Interagency Statement, at 4.
13 Interagency Statement, at 4.
14 Interagency Statement, at 4.
15 Interagency Statement, at 4-5.
16 Interagency Statement, at 4.
17 Interagency Statement, at 5.
18 Request for Information and Comment, at 18980.
19 Request for Information and Comment, at 18981-82.
20 Request for Information and Comment, at 18980-81.