Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), and Financial Crimes Enforcement Network (FinCEN).
Notice and request for information and comment.
The OCC, Board, FDIC, NCUA, and FinCEN (collectively, the agencies), seek information and comment from interested parties on the extent to which the principles discussed in the interagency Supervisory Guidance on Model Risk Management (referred to as the “model risk management guidance,” or MRMG) support compliance by banks with Bank Secrecy Act/anti-money laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) requirements. The agencies seek this information to enhance their understanding of bank practices in these areas and determine whether additional explanation or clarification may increase transparency, effectiveness, or efficiency. The OCC, Board, and FDIC, in consultation with NCUA and FinCEN, are concurrently issuing a statement to clarify that the risk management principles discussed in the MRMG are appropriate considerations in the context of the BSA/AML statutory and regulatory requirements.
Comments must be received by June 11, 2021.
Interested parties are invited to submit written comments to:
•
•
•
You may review comments and other related materials that pertain to this action by the following method:
•
The docket may be viewed after the close of the comment period in the same manner as during the comment period.
•
•
•
•
• All public comments will be made available on the Board's website at
•
•
•
•
•
•
•
•
In general, the NCUA will enter all comments received into the docket and publish the comments on the
You may review comments and other related materials that pertain to this Request for Information and comment by any of the following methods:
•
• Due to social distancing measures in effect, the usual opportunity to inspect paper copies of comments in the NCUA's law library is not currently available. After social distancing measures are relaxed, visitors may make an appointment to review paper copies by calling (703) 518–6540 or emailing
•
•
Please submit comments by one method only. Comments submitted in response to this Request for Information and Comment will become a matter of public record. Therefore, you should submit only information that you wish to make publicly available.
The sound risk management principles discussed in the MRMG
Stakeholders within the banking industry have questioned how the risk management principles described in the MRMG relate to systems or models used to comply with BSA/AML laws and regulations. The OCC, Board, and FDIC, in consultation with NCUA and FinCEN, are concurrently issuing a statement with this Request for Information (RFI) to clarify that
In this RFI, the agencies seek comments and information from interested parties on the extent to which the principles discussed in the MRMG support compliance by banks with BSA/AML laws and regulations. This RFI also seeks feedback on the extent to which the MRMG principles support compliance by banks related to models and systems used in connection with OFAC requirements. The agencies seek this information to enhance their understanding of bank practices in these areas and determine whether additional explanation or clarification may increase transparency, effectiveness, or efficiency.
The BSA
FinCEN, a bureau of the U.S. Department of the Treasury, is the delegated administrator of the BSA. In this capacity, FinCEN issues regulations and interpretive guidance, provides outreach to regulated industries, supports examinations, and pursues civil enforcement actions when warranted. FinCEN relies on the Board, FDIC, NCUA and OCC (the “federal banking agencies”) to examine banks
The federal banking agencies are responsible for the oversight of the various banking entities operating in the United States, including U.S. branches and agencies of foreign banks. The federal banking agencies' regulations require each bank under their supervision to establish and maintain a BSA compliance program, as does the BSA itself.
• Internal controls to assure ongoing compliance;
• Independent testing for compliance;
• Designation of an individual or individuals, also referred to as the BSA/AML compliance officer(s), responsible for coordinating and monitoring day-to-day compliance; and
• Training for appropriate personnel.
A bank also has requirements related to suspicious activity reporting,
OFAC is an office of the U.S. Department of the Treasury that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. OFAC acts under the President's wartime and national emergency powers, as well as under authority granted by specific legislation, to impose controls on transactions and freeze assets under U.S. jurisdiction.
All U.S. persons, including U.S. banks, bank holding companies, and nonbank subsidiaries, must comply with OFAC's regulations. OFAC-issued regulations apply not only to U.S. banks but also to their foreign branches and overseas offices and often to subsidiaries. OFAC encourages banks to take a risk-based approach to designing and implementing an OFAC compliance program.
• Block accounts and other property of specified countries, entities, and individuals.
• Prohibit or reject unlicensed trade and financial transactions with specified countries, entities, and individuals.
• Report blocked property and rejected transactions to OFAC.
On April 4, 2011, the Board and the OCC issued guidance for banks subject to their supervision on effective model risk management (MRM). The FDIC subsequently adopted this guidance in 2017.
Consistent with the federal banking agencies' support of safe and sound banking principles, the MRMG lays out principles for sound MRM in three key areas: (1) Model development, implementation, and use; (2) model validation; and (3) governance, policies, and controls. The guidance describes different MRM responsibilities for different parties within a bank, based on their roles, including those building the models, those independently reviewing the models, and those providing a governance framework for MRM.
Concurrently with the publication of this RFI, the OCC, Board, and FDIC, in consultation with NCUA and FinCEN, have published an “Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance.” The MRMG principles provide flexibility for banks in developing, implementing, and updating models. Banks may use some or all of the principles in their risk management processes to support meeting the regulatory requirements of an effective BSA/AML compliance program. The questions posed in this RFI complement the statement and the agencies ask commenters to consider the two documents in conjunction with each other.
This RFI seeks information and comment on any aspects of the relationship between BSA/AML and OFAC compliance and the principles conveyed in the MRMG, including how those principles may support compliance and any differences in perceptions regarding their application. This RFI also asks for responses to specific questions outlined below.
To allow the agencies to evaluate suggestions more effectively, the agencies request that, where possible, comments include:
• Specific discussion of any suggested changes to guidance or regulation, including, in as much detail as possible, the nature of the requested change and supporting data or other information on impacts, costs, and benefits.
• Specific identification of any aspects of the agencies' approach to
The following sections list areas of interest on which commenters may want to focus. This list is meant to assist in the formulation of comments and is not intended to restrict what may be addressed by the public. Commenters may also address matters related to BSA/AML or OFAC compliance and the principles conveyed in the MRMG that do not appear in the list below. The agencies request that, in addressing these questions, commenters identify issues in as much detail as possible and provide specific examples where appropriate. Commenters are requested to comment on some or all of the questions below and are encouraged to indicate in which area your comments are focused. The agencies request that commenters providing suggestions note their highest priorities, where possible, along with an explanation of how or why certain suggestions have been prioritized.
The term “BSA/AML and OFAC models” is used in the questions below to describe BSA/AML or OFAC compliance systems that a bank considers models, so its interpretation could vary from bank to bank. When providing feedback, please note that the MRMG principles provide flexibility for banks in developing, implementing, and updating models. The extent and nature of model risk varies across models and banks, and a bank's risk management framework is most appropriately tailored when it is commensurate with the nature and materiality of the risk. The agencies are interested in gathering information about industry practices and welcome responses regarding individual banks, as well as common industry practices.
1. What types of systems do banks employ to support BSA/AML and OFAC compliance that they consider models (
2. To what extent are banks' BSA/AML and OFAC models subject to separate internal oversight for MRM in addition to the normal BSA/AML or OFAC compliance requirements? What additional procedures do banks have for BSA and OFAC models beyond BSA/AML or OFAC compliance requirements?
3. To what extent do banks have policies and procedures, either specific to BSA/AML and OFAC models or applicable to models generally, governing the validation of BSA/AML and OFAC models, including, but not limited to, the validation frequency, minimum standards, and areas of coverage (
4. To what extent are the risk management principles discussed in the MRMG appropriate for BSA/AML and OFAC models? Please explain why certain principles may be more or less appropriate for bank operations of varying size and complexity? Are there other principles not discussed in the MRMG that would be appropriate for banks to consider?
5. Some bankers have reported that banks' application of MRM to BSA/AML and OFAC models has resulted in substantial delays in implementing, updating, and improving systems. Please describe any factors that might create such delays, including specific examples.
6. Some bankers have reported that banks' application of MRM to BSA/AML and OFAC models has been an impediment to developing and implementing more innovative and effective approaches to BSA/AML and OFAC compliance. Do banks consider MRM relative to BSA/AML an impediment to innovation? If yes, please describe the factors that create the impediments, including specific examples.
7. To what extent do banks' MRM frameworks include testing and validation processes that are more extensive than reviews conducted to meet the independent testing requirement of the BSA? Please explain.
8. To what extent do banks use an outside party to perform validations of BSA/AML and OFAC compliance systems? Does the validation only include BSA/AML and OFAC models, as opposed to other types of models used by the banks? Why are outside parties used to perform validation?
9. To what extent do banks employ internally developed BSA/AML or OFAC compliance systems, third-party systems, or both? What challenges arise with such systems considering the principles discussed in the MRMG? Are there challenges that are unique to any one of these systems?
10. To what extent do banks' MRM frameworks apply to all models, including BSA/AML and OFAC models? Why or why not?
11. Specific to suspicious activity monitoring systems, the agencies are gathering information about industry practices. The agencies welcome responses to the following, regarding individual bank and common industry practices.
i. To what extent do banks validate such systems before implementation?
ii. Are banks able to implement changes without fully validating such systems? If so, please describe the circumstances.
iii. How frequently do banks validate after implementation?
iv. To what extent do banks validate after implementing changes to existing systems (
v. How do banks validate such systems?
vi. What, if any, compensating controls do banks use if they have not had an opportunity to validate such systems?
b. Suspicious activity monitoring system
c. Suspicious activity monitoring system
d. Suspicious activity monitoring system
12. To what extent do banks calibrate the scope and frequency of MRM testing and validation for BSA/AML and OFAC
By order of the Board of Governors of the Federal Reserve System.