In our first two posts about establishing an AML model risk management programme, we explained what a model is and outlined the essential foundational elements. With this in mind, please consider these questions:

1. How many models does your institution have?
2. What levels of risk do those models pose?
3. Who is responsible for ensuring that the modes align to business and regulatory requirements?

Senior management can be apprehensive about the amount of resources and time required to create central repositories for AML models. However, best practices and regulatory guidance indicate that developing an inventory, including the risk assessment and personnel responsible for each model, and supporting documentation, can result in better model quality and risk management.

How can your models be inventoried effectively, and what are the benefits of doing so?

Model inventory and assessment is a primary component of any model risk management programme and has three stages:

Source: Crowe Horwath LLP analysis

1. Identification
In order to identify models your financial institution must first define what a model is. Regulatory expectations can be ambiguous so you will need to:

1. Establish its own definition of a model, 2. Document the rationale of the definition, and; 3. Use the definition consistently. In our experience, what is considered a model varies by organisation. Some consider any process that has inputs, a mathematical component, and an output as a model. Others assess aspects of a process, such as the complexity of the calculations, to determine whether the process would be classified as a model.

To achieve a holistic view and understanding of your institution’s models, every effort should be made to identify and locate all the existing models, and establish processes to identify new models as they are rolled out.

2. Model Risk Assessment
To build an effective risk management programme, it is imperative to understand the inherent AML risk within each model, and analyse how effectively the controls mitigate that risk. Each model should be risk rated based on the level of AML risk exposure. The rating will determine the rigour and prioritisation of model risk management activities, such as validation.

At this stage organisations should identify models that are rarely used or redundant. These models can be retired from business practices and the resources that support them can be reallocated.

Elements that should be considered when determining the level of AML risk include the model’s:

– Financial impact
– Impact on customer outcomes
– Regulatory risk
– Data quality
– Level of sophistication
– Level of complexity
– Output and how it is used
– Potential for reputational risk

It is important to have a consistent model risk assessment process that is revisited periodically , to ensure consistency, and monitor for changes to risk.

3. Accountability
Defining roles and responsibilities is essential to establishing an effective model risk management framework. The rollout of the Financial Conduct Authority and Prudential Regulation Authority Senior Managers Regime is a move towards making individual bank employees more accountable. Expectations will continue to increase for accountability and ownership of model risk management and decisions made as a result of model outputs.

Organisations should identify the model owners who are responsible for setting AML risk tolerance levels, model parameters, controls and criteria for the use of the output of each model. The following should also be documented:

– The employees required to implement and monitor each model. For example, a model used for AML transaction monitoring could involve 20 to 150 scenarios and a 5 to 5,000 personnel to monitor and report suspicious activity.
– The knowledge and skills necessary to design and deploy an effective model
– How each model works, frequency used, and model users.

A Sustainable Process
Completing the initial model inventory and assessment process can take many months and large numbers of personnel. Carrying out this process to existing and new AML models is a worthwhile exercise, because it encourages sustainability. As well as the introduction of new AML models, we recommend that this exercise be carried out when for example, there is an acquisition, a new product or service offering, or newly published regulatory risk guidance.

By basing the process on this sustainable methodology, financial institutions can apply a consistent programme as new models are developed, adopted, and updated. It will also enable executives to make good risk management and business decisions, appropriately deploy resources, and mitigate regulatory concerns.