Model Validation Best Practices for Banks
Regulatory Background for Model Risk Management in Banking
In 1998, the hedge fund Long-Term Capital Management L.P. (LTCM) lost $4.4 billion, depleting almost all its capital. In 2007, the subprime mortgage crisis broke out suddenly, with the banks writing down and losing $523 billion by late 2008. In 2012, JP Morgan lost £6 billion, and as a result faced £1 billion in fines, due to overly risky trades.
Before the upheaval of the financial crisis, risk management models in banks, including value-at-risk analysis, did not adequately cover credit risk or market illiquidity. In its 2011 working paper, the European Central Bank (ECB) examined the effects of the 2007–2009 financial crisis and analyzed the interrelations between the risks and banks’ business models. They found that the financial crisis “was characterized by a process of financial deregulation and rapid innovation, with a widespread use of new financial instruments”.
Both the financial deregulation and rapid innovation of the 1990s and early 2000s changed the business models of the banks. Regulators responded with the Basel I and Basel II Accords accordingly. The Basel I Accord called for a minimum ratio of capital to risk-weighted assets. Essentially, it was implemented not only in EU member countries but in all countries where banks operated internationally. The Basel II Accord expanded and developed the rules of Basel I, offered a supervisory review of capital adequacy and internal processes, and strengthened market discipline through disclosure requirements.
The banks continued to rely on their risk management models and the regulators continued to strengthen their requirements. Thus, the subsequent Basel III Framework aimed to protect financial stability and promote sustainable economic growth: the higher the levels of capital, the smaller the probability of financial crises in the future.
Furthermore, the ECB, together with the national supervisory authorities, has conducted a targeted review of internal models (TRIM) between 2016 and 2020. The review relates to model validation, and its findings have allowed the banks to perform self-assessment of their compliance under the regulatory requirements and the regulators to ensure the consistency of the supervisory practices.
This year, the ECB produced its SSM Supervisory Priorities 2020, based on the major drivers of the banking sector risks, with business model sustainability as its second priority. These drivers encompass economic, political, and debt sustainability challenges, business model sustainability, and cybercrime.
At the time of writing, the requirements for model risk management in banking are due to be developed further.
Best Practices for Risk Model Management
As we have learned from the history of crises, model risk may bring adverse consequences and impacts, such as financial losses, damage to reputation, and even closure of businesses. In the light of so many challenges associated with risk management models in banks and financial institutions, many regulators update and publish their guides and recommendations on a regular basis. For example, the ECB and the Board of Governors of the Federal Reserve System offer the Guide to Internal Models and the Supervisory Guidance on Model Risk Management, respectively.
In 2008, Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) developed the Three Lines of Defense Risk Management Model. The three lines of defense are
- Management control
- Risk management and compliance
- Internal audit
These each play a distinct role within an organization’s high-level governance framework. The model itself offers a simple and effective way to communicate risk management and control issues, and sets clear roles and responsibilities. What is more, the model proves to be effective regardless of the organization’s size and complexity.
In some format, these lines of defense already exist in every organization. But, to enhance risk model management efforts, it is recommended to:
- Structure risk and control processes according to the Three Lines of Defense Model
- Support the lines with respective policies
- Set proper coordination between the lines
- Ensure that knowledge and information is shared between the lines
- Avoid combination of the lines if their effectiveness will likely be compromised
Meanwhile, the European Banking Authority requires model validation to be executed to ensure models perform as expected. While internal regulation is deemed to be sufficient for nonregulated industries, some regulators require models to be validated externally by independent experts and require businesses to implement proper model risk management tools.
Effective Model Validation Consultancy by CompatibL
At the third line of defense, banks and financial institutions can find enough resources to validate their models. They may also recruit additional forces, separate teams, to perform model validation tasks. However, for effective model validation, it is important to consider a model lifecycle, its objectives and scope, the process of model development and implementation, periodic reviews, etc.
Thus, model validation requires specific expertise and knowledge. At CompatibL, we offer model validation across a wide range of valuation and risk models, such as Basel II, II.5, III, early IV, ISDA SIMM, IRRBB, FRTB for market and credit risk, and SA-CCR. Our regulatory validation services are transparent and independent, which allows us to ensure their reliability.
These days, the financial markets are heavily dependent on models for calculating risks, managing organization performance, detecting fraud, etc. The malfunction of a model may have drastic consequences. Thus, effective model validation is the key to success in both model performance and the effective management of risks the model tackles or is expected to tackle.