The recently issued interagency statement SR 21-8 is a non-binding guidance note with very useful and practical suggestions on how banks can juggle resources between SR 11-7 and AML/BSA compliance. It works to remove any duplicate efforts that banks may have to undertake to align their compliance requirements under DFS Part 504 (Anti Money Laundering (AML) / Bank Secrecy Act (BSA) regulations) and SR 11-7 Model Risk Management requirements.
SR 21-8 accords primacy to the existing AML / BSA regulations and limits the note’s scope to explain how banks may cross leverage various principles laid out in SR 11-7 for innovative and effective risk management of models, systems, and applications used for AML/ BSA compliance.
Risk-Based Approach For Validation of Model Changes: The note recommends using the Risk-Based approach laid down in SR 11-7- for rationalizing efforts in reviewing and validating changes to BSA/AML models and systems. Changes to the BSA/ AML systems are inherently frequent and of low materiality in nature. They are carried out at very short intervals in response to the rapidly evolving threat environment and are associated with revisions to rules, thresholds, and keywords for detecting suspicious activities. Banks may apply a less intensive targeted/change-based validation approach to approve these changes or may leave revalidation altogether. Hence the note has prioritized quick implementation of enhancements and the need for large-scale full scope validation has been advised to be done away with.
Effective Challenge For Risk Assessment: The note encourages the use of the objective model risk assessment principle under SR 11-7 for the execution of DFS Part 504 risk assessment. It suggests the use of methods being deployed for effective challenge process under SR 11-7 over the last many years and its execution by an independent expert.
Third-Party Risk Management: Since many banks use third-party models for BSA/ AML compliance, the note stresses the need for banks to obtain and document sufficient information about the model’s working despite the proprietary nature of the information and unstated resistance by the third party to share it. Further, banks are advised to document and validate customizations made to the third-party model. Ongoing model monitoring activities may include monitoring and due diligence of the third party itself to account for DFS Part 504 obligations. This is specifically emphasized for compliance-related activities, such as currency transaction reporting, monitoring transactions, detecting suspicious activity, or suspicious activity reporting. Business Continuity Planning is also advised for third-party models used for BSA/ AML compliance programs.
Independent Testing and Back Testing: The note provides useful tips in areas that have proven burdensome for banks as they align risk management efforts between SR 11-7 and BSA/ AML regulations. It allows independent testing activities conducted for BSA/ AML purposes to be used and referenced for independent model validation as per SR 11-7. It also recognizes that SAR Yield Analysis and comparison of actual vs. predicted outcomes exercise, a commonly used technique for other models may not always apply to BSA/ AML models because of lack of visibility on the filing of Suspicious Activity Reports.