CBA Comment Letter re Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements

To Whom It May Concern:

The Consumer Bankers Association (“CBA”) appreciates the opportunity to offer comments in response to the Office of the Comptroller of the Currency (“OCC”), Board of Governors of the Federal Reserve System (“Board”), Federal Deposit Insurance Corporation (“FDIC”), National Credit Union Administration (“NCUA”), and Financial Crimes Enforcement Network’s (“FinCEN”) (collectively, “Agencies”) Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements (“RFI”). We commend the Agencies on their interest in obtaining industry feedback on the extent to which existing regulatory model risk management principles effectively govern the unique models employed by banks to support Bank Secrecy Act/Anti Money Laundering (“BSA/AML”) compliance.

The CBA also commends the Agencies for issuing the April 9, 2021, Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti Money Laundering Compliance (“Joint Statement”), an attempt to clarify how the 2011 “Supervisory Guidance on Model Risk Management”1 (“MRMG”) relate to banks’ BSA/AML and OFAC systems. The Joint Statement takes helpful steps towards the implementation of model risk principles appropriate to the BSA/AML context. We applaud the Agencies for not imposing a restrictive definition of “model” but instead providing factors for individual banks to consider relative to their specific BSA/AML systems. We are also encouraged by the Joint Statement’s support for innovation and flexibility in model development and implementation, which we interpret as promoting out-of-the-box thinking on BSA/AML modeling.

Though the Joint Statement provides a helpful starting point for a conversation on the intersection of MRMG and BSA/AML model risk management, the CBA sees two important opportunities for the Agencies to refine their expectations of bank BSA/AML systems to align regulatory guidance with banking realities and promote consistency across all institutions with BSA/AML obligations.2 First, the CBA strongly urges the Agencies to announce a more permissive model risk management standard specific to BSA/AML systems and adopt criteria banks can meet in development and validation of BSA/AML models which would, by default, establish effective model risk management. Second, the CBA highly encourages the Agencies to scrutinize model risk management of BSA/AML systems consistently regardless of institution type so that banks and non-bank money transmitters are held to the same standard. The CBA urges the Agencies to carefully consider industry insights shared in response to this RFI and further refine their approach to model risk management of BSA/AML systems.

In this letter, we first address the two opportunities to refine regulatory expectations of BSA/AML systems and then provide specific responses to Questions 1, 2, 4, and 6.

I. Opportunities for the Agencies to Refine Regulatory Expectations as to Banks’ BSA/AML Systems

A. The Agencies should announce a more permissive model risk management standard and adopt development/validation criteria specific to BSA/AML systems.
The Agencies should reconsider the application of the MRMG to BSA/AML systems and instead announce a more permissive model risk management standard for BSA/AML systems and a clear set of criteria banks can apply in developing and validating BSA/AML models which would, once satisfied, automatically establish the sufficiency of the model from a risk management perspective. A less demanding model risk management standard for BSA/AML systems and set criteria banks can follow to automatically satisfy model risk management principles would signal to industry regulator awareness that BSA/AML systems are different in purpose and nature of output than systems used to conduct traditional bank activities and are thus inappropriately evaluated under the MRMG. BSA/AML systems (1) do not directly implicate safety and soundness concerns in the manner those concerns are implicated by traditional bank systems; (2) do not provide opportunities for banks to back test how “accurately” outputs answer questions posed; and (3) are stunted from an innovation standpoint by heavy regulatory scrutiny which prevents modeling agility responsive to ever-changing, illegal money transfer tactics. As such, the CBA recommends that the Agencies announce a relaxed model risk management standard and criteria banks may use to develop and validate models which satisfy model risk management principles by default.

1. BSA/AML activities are not a direct safety and soundness issue.

The MRMG is not appropriately extended to BSA/AML systems because the MRMG is rooted in the interest of promoting safety and soundness, which is not directly implicated by banks’ BSA/AML activities. The Federal Reserve noted, “The nation's banking system is only as safe and sound as the banks within the system.” Risk management seeks to protect the safety and soundness of individual banks so that banks can reliably perform traditional bank functions in support of the national system. Bank examiners evaluate factors related to traditional bank activities – i.e., capital, asset quality, management, earnings, liquidity, and sensitivity to risk – as indicators of soundness.

The MRMG is an extension of risk management specific to the changing dynamics of how banks employ tools to support bank activities. As noted in the MRMG, banks “routinely use models for a broad range of activities, including underwriting credits; valuing exposures, instruments, and positions; measuring risk; managing and safeguarding client assets; determining capital and reserve adequacy; and many other activities.”3 From the outset, the MRMG focuses on banks’ heavy reliance on “quantitative analysis and models in most aspects of financial decision making.”

But BSA/AML activities are unrelated to banks’ financial decision making. As such, any risk associated with BSA/AML systems concerns their ability to detect and produce the information sought by law enforcement, not potential impacts on safety and soundness. These systems may involve reporting risks, but not financial risks or other risks associated with traditional bank activities. It is therefore unreasonable to apply the MRMG principles to BSA/AML systems.
We recognize the risk of potential impact to the quality of reports derived from BSA/AML systems outputs is an important one. But it is not the same risk and does not involve the same considerations relevant to safety and soundness and the types of models originally contemplated under the MRMG. Recognition of this point by the Agencies – and by BSA examiners – is important to industry and warrants a different model risk management standard specific to BSA/AML systems.

2. BSA/AML model development is impeded by a lack of law enforcement feedback on the “accuracy” of model outputs.
In addition to differences in the type of risk implicated, BSA/AML systems differ from traditional bank systems in that banks lack information from the government about the “accuracy” of BSA/AML system outputs to optimize model development. The MRMG contemplates user feedback as an important part of model development. “[Model use] can serve as a source of productive feedback and insights from a knowledgeable internal constituency with strong interest in having models that function well and reflect economic and business realities. Model users can provide valuable business insight during the development process. In addition, business managers affected by model outcomes may question the methods or assumptions underlying the models, particularly if the managers are significantly affected by and do not agree with the outcome.”

For models developed to answer questions about traditional bank activities, such as credit models, banks can employ user feedback and compare known data or expected outcomes to model outputs. They can then use this for information to assess model performance generally and make determinations about how accurately a model answers the question posed. Adjustments can then be made as necessary to refine the model output.

However, banks lack the ability to test the “accuracy” of BSA/AML model outputs because, although they know the question posed, law enforcement – the model user – does not provide feedback on whether BSA/AML reports “get it right.” As such, banks do not know, for example, which activities on a Suspicious Activity Report are ultimately found to be criminal. Without that feedback, banks can validate a BSA/AML model to ensure its proper functioning but cannot test the model outcomes for accuracy, which negatively affects model development.

Given these limitations, the Agencies should not impose model risk management principles on banks that are inconsistent with the realities of BSA/AML modeling. Instead, the Agencies should identify criteria that banks can satisfy which, of themselves, establish effective model performance and meet model risk management expectations.

3. MRMG testing and evaluation demands discourage banks from BSA/AML system innovation.

MRMG testing and validation expectations for BSA/AML systems also work to inhibit innovation due to concerns within the industry of whether banks have sufficiently tested validated BSA/AML model performance. As a result of these concerns, banks may extend testing and validation timelines unnecessarily because of the perceived need for added assurances. These prolonged processes may have the effect of delaying the implementation of modeling that enhances activity detection or discouraging banks to the point where they do not pursue innovation because of added costs and compliance risks. The Agencies can address this issue by recognizing a reduced model risk management expectation for BSA/AML systems and providing steps for banks to complete to satisfy their model risk management obligations for BSA/AML compliance, which would cut down on the perceived need for such extensive testing and validation.

B. BSA/AML Systems Used by Banks and Non-Bank Money Transmitters Should Face the Same Level of Scrutiny
The Agencies have another opportunity to refine the application of model risk management principles to BSA/AML systems by subjecting those systems to a consistent level of scrutiny regardless of whether they are developed and used by banks or non-bank money transmitters. Though FinCEN imposes BSA/AML reporting and risk management requirements on both, non-bank money transmitters do not face the same level of supervision and regulatory involvement as do banks. Banks by their nature are subject to heavy federal regulation and routinely experience examination by financial regulators. Non-bank money transmitters, however, do not face similar regulatory oversight. Instead, it is left to individual state regulators to determine the appropriate amount of BSA/AML oversight for non-bank money transmitters. To the extent states exercise their oversight authority, their examinations do not necessarily include the non-bank money transmitter’s BSA/AML systems. If they do examine BSA/AML systems, there is no guarantee each state examines those systems consistently with each other, or that the states’ examination of BSA/AML systems is consistent with how the federal financial regulators examine those of banks.

The disparity in BSA/AML oversight based on institution type, despite the fact both types of institutions are engaged in the same activity, does not make sense. Both banks and non-bank money transmitters may use BSA/AML systems to help them satisfy BSA/AML reporting requirements. The use of BSA/AML models by either presents the risk of underreporting or other impact to the quality of data reported. If anything, the BSA/AML systems of the more regulated banks are likely to perform more reliably than BSA/AML systems employed by the under-regulated non-bank money transmitters. The Agencies, and particularly FinCEN, should engage state regulators to identify ways to level the playing field as to BSA/AML model risk management oversight regardless of institution.

II. Responses to Select Questions Posed in the RFI

Question 1: What types of systems do banks employ to support BSA/AML and OFAC compliance that they consider models? What types of methodologies or technologies doe these systems use?

The extent to which banks classify their BSA/AML systems as models depends on many factors specific to the individual bank. Some banks treat systems as models to be responsive to regulator expectations, even if those systems do not meet internal definitions of models or satisfy factors outlined in the Joint Statement. Therefore, it is helpful that neither the MRMG nor the Joint Guidance impose a rigid definition of “model” on industry.

Question 2: To what extent are banks’ BSA/AML and OFAC models subject to separate internal oversight for MRM in addition to normal BSA/AML or OFAC compliance requirements?

Audit has oversight of the entire financial institution, including models. In addition, most banks also have separate MRM functions to perform robust model review and validation, which may or may not be relied upon by the respective audit functions.

Question 4: To what extent are the risk management principles discussed in the MRMG appropriate for BSA/AML and OFAC models?

The Agencies should look to announce model risk management principles specific to BSA/AML models for the reasons discussed in Section I above.

Question 6: Do banks consider MRM relative to BSA/AML an impediment to innovation? If so, factors that create impediments? Specific examples?

There are two types of innovation to consider: (1) innovation related to new, emerging risks and (2) innovation to improve existing models, processes, or controls.
As to innovation to address new, emerging risks, banks may work with their internal teams to identify ways they can take immediate action and move to implementation to address the risk. In these situations, a bank’s actions may be exploratory in nature to determine: (1) whether the risk exists at the bank and (2) if so, the most effective manner to address the risk. In 2020, some banks experienced significant increases in suspicious activity reporting, much of it due to various forms of COVID-19 relief fraud. Banks identified new ways to detect these types of frauds. Some banks had more active engagement with law enforcement, which helped refine reporting. It is critical that banks have the flexibility to develop programs to quickly respond to these types of threats without the restrictions imposed by model risk documentation and validation requirements. Months of extended MRM review can result in missed opportunities to report helpful information.

As to innovation of existing models, processes, or controls, a reduction in model validation requirements would result in a reduction of the time required to perform such tasks, which would encourage more innovation in this space.


Thank you for your consideration and your continued efforts to establish model risk management principles appropriate for BSA/AML systems. Should more information be helpful, please do not hesitate to contact the undersigned directly at, or 202-552-6366.



Ebony Sunala Johnson
Associate General Counsel
Consumer Bankers Association