In a joint statement on model risk management principles, the Federal Reserve Board, the FDIC and the OCC, in consultation with FinCEN and the National Credit Union Administration (collectively, the "agencies"), described how their "Supervisory Guidance on Model Risk Management" (or "MRMG") relates to Bank Secrecy Act / Anti-Money Laundering ("BSA/AML") systems.

The agencies stated that there is no specific organizational structure for BSA/AML system oversight, and that a bank may decide which principles in the MRMG are useful to it. The agencies clarified that the MRMG:

  • does not have "the force and effect of law";
  • is not a set of testing procedures;
  • does not establish the expectation that a bank have duplicative processes for complying with BSA/AML requirements;
  • provides a definition for "models," which a bank should reference when determining whether a BSA/AML system is a model;
  • provides "flexibility" in principles for a bank that is updating its models; and
  • addresses third-party model principles.

Concurrent with the publication of the joint statement, the agencies issued a request for comment seeking information to determine whether additional clarification would be useful.

Comments on the notice must be submitted by June 11, 2021.

Commentary

Financial institutions should take with a grain of salt the agencies' assertion that, "[t]his statement does not alter existing BSA/AML legal or regulatory requirements, nor does it establish new supervisory expectations." The same document clearly states, "[f]or automated transaction monitoring systems, prudent risk management involves periodically reviewing and testing the filtering criteria and thresholds to ensure that they are still effective, as well as independently validating the monitoring system's methodology and effectiveness to ensure that the monitoring system is detecting potentially suspicious activity." While the interagency statement may not have the force of law, financial institutions' BSA/AML systems are required by law to be reasonably designed and risk-based; a regulator could easily determine that use of an automated transaction monitoring system without appropriate review, testing, and validation falls short of those legal requirements.

Primary Sources

  1. Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance
  2. Federal Register: Request for Information and Comment - Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements
  3. OCC, FRB, FDIC, NCUA, FinCEN Notice and request for information and comment: Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance with Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets
  4. OCC Press Release: Agencies Issue Statement and Request for Information on Bank Secrecy Act/Anti-Money Laundering Compliance
  5. FRB Press Release: Agencies issue statement and request for information on Bank Secrecy Act/anti-money laundering compliance
  6. SR 21-8: Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance
  7. FDIC Press Release: Agencies Issue Statement and Request for Information on Bank Secrecy Act/Anti-Money Laundering Compliance
  8. FIL-27-2021 - Bank Secrecy Act: Agencies Address Model Risk Management for Bank Models and Systems Supporting Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Compliance
  9. NCUA Press Release: Agencies Issue Statement and Request for Information on Bank Secrecy Act/Anti-Money Laundering Compliance
  10. FinCEN Press Release: Agencies Issue Statement and Request for Information on Bank Secrecy Act/Anti-Money Laundering Compliance

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.