Model Risk Management for Financial Institutions


Financial institutions are under constant scrutiny and supervision. There is an immense amount of pressure placed on these institutions to follow regulations and mitigate compliance risks. The Board of Governors of the Federal Reserve System Office of the Comptroller of Currency previously issued SR Letter 11-7, also known as the “Supervisory Guidance on Model Risk Management.” This complex letter outlines the rules and regulations that financial institutions need to follow when using certain models for financial and business decisions. Here are a few of our takeaways from SR Letter 11-7.

A model is defined by SR 11-7 as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates. A model consists of three components: an information input component, which delivers assumptions and data to the model; a processing component, which transforms inputs into estimates; and a reporting component, which translates the estimates into useful business information.”

Common Types of Models for Financial Institutions

The two most common types of models currently being used by community financial institutions are Asset-Liability Management/Interest Rate Risk (“ALM/IRR”) Models and Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Models.

  • ALM/IRR Models accept input of current financial information data, transform the input data to develop estimates regarding impacts of interest rate changes on income and economic value of the institution, and develop reports of the estimates to help management achieve satisfactory and consistent profits, liquidity, and safety of the institution.
  • BSA/AML Models accept input of transaction data from the institution’s products and services and analyze the transaction data to produce reports that identify reportable cash transactions and identify suspicious activities.

Note: Some solutions to comply with accounting changes related to Current Expected Credit Losses (CECL) may be considered a model if meets the input, processing and reporting components referred to above.

Run Tests

When testing model risk, begin by troubleshooting and assessing the model in real-life situations. That means actually spending time with your team to run exercises, go through the decision-making process, and find where your decided model works and where it fails. When it comes to risk management, financial institutions are held to a very high standard  for self-testing the models they choose to adopt, so be sure to conduct ample due diligence on the front end to thoroughly test each model.

Build Your Process

Once you have selected a model to build on and have finished your initial phase of testing, you can begin the adoption and customization process. If the selected model works well for your business, you will have minimal work to do here. Larger corporations and financial institutes, on the other hand, will find this to be a daunting task. Be sure that you take the time now, while the testing is still fresh in your mind, to make the changes, shift the model, and set checks in places to make sure each data point and analysis is functional, correct, and working towards your end goal.

Model Validation

Model validation is another key principle in model risk management and the main focus of examiners. Validation is an independent review of all model components to verify the models are operating as expected based on their design objectives and business uses. The scope and sophistication of validation should be commensurate with the institution’s overall use of models, the complexity and materiality of models, and the size and complexity of the institution’s operations. Institutions are expected to validate their own use of the vendor models. The validation should be performed by “people who are not responsible for model development or use and do not have a stake in whether a model is determined to be valid.” The validation should be performed by people with appropriate incentives, competence, and influence.

An effective validation framework should include three core elements:

  • Evaluation of conceptual soundness, including developmental evidence
  • Ongoing monitoring, including process verification and benchmarking
  • Outcomes analysis, including back-testing

Regulatory examiners are not only asking for model validation reports that include the above elements, but they are also asking for the resume of the person who performed the work as well as the validation workpapers that support the validation report.

For additional guidance related to model validation or risk management, or financial institution advisory services in general, contact Larry Brown, Director of VonLehman’s Financial Institutions Group, at or 800.887.0437.

Have a Question? Contact Us

Contact Us