Our thoughts on the PRA statements on Model Risk Management – Policy Statement (PS6/23) and Supervisory Statement (SS1/23)

The PRA published a final policy, the supervisory statement (SS) 1/23 – Model risk management principles for banks along with its policy statement (PS) that provides feedback to the responses to its earlier consultation paper Model risk management principles for banks (CP 2/22).

The PRA’s desired outcome is that firms take a strategic approach to Model Risk Management (MRM) as a risk discipline in its own right to be applied across all model and risk types, based on five principle themes, that remain unchanged from the earlier proposal:

Principle 1 – Model identification and model risk classification
Principle 2 – Governance
Principle 3 – Model development, implementation and use
Principle 4 – Independent model validation
Principle 5 – Model risk mitigants.

Arguably the most significant change, having received feedback is the narrowing of the scope of the final policy. SS1/23 clarifies that the expectations only apply to firms with permission to use internal models to calculate regulatory capital. The permissions referred to include using internal models to calculate regulatory capital requirements for credit risk (Internal Ratings Based approaches), market risk (Internal Model Approach) or counterparty credit risk (Internal Model Method).

An update is to be provided on the approach for all other firms, including ‘Simpler-regime Firms’, at a future date once the definition of a ‘Simpler-regime Firm’ has been finalised. Importantly, the PRA makes clear that “all firms regardless of size are already expected to manage the risks associated with models, as they would with any risk they are exposed to” and therefore this PS and SS should be reviewed proportionately, but in its entirety, by non-IM firms.

The PRA also responded to feedback concerning models provided by third-party vendors. The PRA acknowledge that documentation from 3rd party vendor models will not be as extensive as internal models and that there is no obligation to share proprietary information but that the level of documentation must be sufficient to allow validation.

Additional key changes include:

• Replacing a reference to accounting with financial reporting and clarifying that the intent is for firms to make MRM reporting on the effectiveness of the MRM for financial reporting available to the audit committee;

• Removing the requirement that firms applying post-model adjustments (PMAs) should ‘address model limitations by better incorporating risks into models so that reliance on model adjustments will be reduced over time” and the subsequent additional documentation requirements;

• Relaxing the requirements around the escalation of model exceptions to be less prescriptive and more principles-based; and,

• Clarifying that firms:

  • Can appoint more than one Senior Management Function (SMF) to take responsibility for the MRM framework, its implementation, and the execution and maintenance of the framework, helping to remove conflict over first and second-line activities

  • Can select the relevant risk factors that impact a model’s inherent risk

  • Can leverage the outcome of a parent-group’s validation of a parent-group developed model if the conditions in Principle 2.6 (c) are satisfied

  • should ensure the level of detail in the documentation of third-party vendor models is sufficient to validate the firm’s use of the model

Meeting requirements for MRM will present significant challenges for firms. These are likely to be:

i) Creating the means for governing all models in a firm.

The PS and SS significantly raise the bar for the review and governance of models. The PRA are clear that lenders need to improve their management and understanding of model risk. This adds further demand to model development and model review teams and, as stated later, possibly introduces the need for entirely different expertise with different risk disciplines and uses.

ii) Identifying and sensibly agreeing on the delegation of responsibilities to the most appropriate SMF(s).

The updates from the PRA clarify that the SMF may be a shared role, with some duties delegated. This may help with the issue of first-line work being assigned to the CRO. However, it also complicates how the Board will gain comfort over the whole MRM framework where risks sit across multiple roles, or views diverge.

iii) Dealing with a much broader scope of models and applying a standard that consistently manages the risks across what might be very different model types and uses.

This will require an expansion of expert IMV teams. These are roles which are notoriously difficult to fill. The broader scope will also require the adaptation of model review to non-traditional models such as AI and Machine Learning.

Firms with internal model permissions have one year, until 17th May 2024, to conduct an initial self-assessment of their implemented MRM frameworks against these principles and, where relevant, to prepare remediation plans to address any identified shortcomings. These self-assessments must be completed annually, with updates on the self-assessment and remediation plans being documented and shared with firms’ boards. Firms that are applying for internal model permissions will have 12 months from the grant of that permission to comply with the new policy.