The PRA’s new supervisory statement extends banks’ model risk management obligations “across all models” - not just capital and stress testing. What steps must banks take to comply?
Despite last year’s government pronouncements about rolling back restrictions and cutting through red tape, 2023 is already looking like a big year for regulatory change and innovation. Implementing the new Consumer Duty rules (PS22/9) is going to be a top
priority. And banks will also want to have their say in ongoing discussions about the use of AI and machine learning (DP5/22).
But that’s not all. Last week (May 17) the PRA published ‘PS6/23 – Model risk management principles for banks’. The content of the statement isn’t a surprise - it hasn’t changed much from the draft published in CP6/22 last June - but you need to read between
the lines to understand its full implications. The changes required are serious and wide-ranging.
Extending MRM to all models
The statement sets out the PRA’s expectations that all UK banks, building societies and investment firms will follow five principles to create a robust model risk management (MRM) framework to “manage model risk effectively across all model and risk types”.
The key word here is “all” – until now, UK regulation was largely concerned with managing model risk on certain model types including capital and stress testing models. The proliferation of AI and Machine Learning models to support material decision-making
across banks means regulatory scrutiny will now be extended to cover all models from this time next year, including those used in “all decisions made in relation to the general business and operational banking activities, strategic decisions, financial, risk,
capital, and liquidity measurement and reporting, and any other decisions relevant to the safety and soundness of firms.”
Why is MRM under the microscope?
While the world still regards the UK a global leader in banking, the PRA has stated its concerns that in the sphere of MRM, UK banks are failing to keep pace with their international peers.
MRM is crucial to ensure proper governance of AI/ML models, yet it’s widely known that some of the biggest UK banks are still relying on spreadsheets to manage their model lifecycles and monitor model risk.
That’s why the PRA is taking immediate steps to make MRM a top priority for UK firms—and setting expectations for board-level involvement and understanding. This increased regulatory emphasis aims to:
Raise the standard of MRM at all UK banks.
Improve the safety and soundness the use of models across all departments.
Mitigate the risk of losses for individual banks.
Reduce the probability and severity of future crises in the banking sector.
Building one MRM framework to govern them all
The number and variety of models that banks use to support decision-making has increased massively over the past few years, and that growth is likely to accelerate as AI/ML models are adopted more widely. So, the desire to establish one MRM framework to
govern them all makes perfect sense. But it’s going to require a big change in the way models are managed at most banks.
That change will mean breaking down operational silos and getting data science teams from different business units to adopt a common approach for model lifecycle management. Since these teams may be using different tools and different languages to build
their models, standardisation could be a painful process.
Yet that’s a pain that banks will have to face - not least because the statement also calls for individual accountability at senior management function (SMF) level. In practice, this is likely to lay the responsibility at the door of the Chief Risk Officer.
And there’s a ticking clock, with implementation due by 17 May, 2024.
Making it happen
So, what’s the best way to achieve compliance in time? One senior leader I spoke with recently talked about the importance of embedding MRM disciplines into the “first line” of model development. This means educating the data scientists who design and build
the models about model risk and getting them to take responsibility for basic MRM practices, such as registering their models and potentially even assuming ownership of the bank’s central model inventory.
But it’s not just about working practices and accountability - you also need the right technology. At SAS, we’ve been working with some of the UK’s biggest banks to define an end-to-end solution for model lifecycle management, which integrates model risk
at every stage.
Freedom within the framework
We are already helping more than 75 banks around the world embed model risk management into every stage of the model lifecycle with our market leading MRM solution
On the one hand, our solution standardises the governance and processes around model registration, validation, approval, monitoring and reporting, so it puts the bank - and the Chief Risk Officer - in a much stronger position from a regulatory perspective.
On the other hand, it still gives data scientists the freedom to choose whatever tools and languages they prefer for data preparation, model building, and execution. That means they can continue to do the most interesting, creative, and valuable part of
their job with their favourite tools. Meanwhile, they can safely delegate most of the tedious, routine tasks - such as documentation, managing approval flows and reporting - to the automated tools in our platform.
MRM as a Service
We think this approach has huge benefits both for established banks and challengers. It can help the big banks reduce the friction of standardisation and build bridges between long-entrenched organisational silos. And it can give newer market entrants instant
access to a robust MRM framework based on our years of expertise in the UK banking sector. You could almost call it “MRM as a Service”.
If you’d like to learn more about how SAS can help you shift your bank’s approach to MRM and ensure you fully meet the PRA’s new expectations, feel free to reach out to me.