The new PRA Policy Statement 6/23
On 7 May 2023, the Prudential Regulation Authority (PRA) published a new policy statement (PS6/23) which provides feedback to the responses it received on its original consultation paper (CP6/22) and, more importantly, contains the PRA’s final policy, the Supervisory Statement SS1/23 on “Model risk management principles for banks” (SS1/23).
SS1/23 comes into effect on 17 May 2024. It applies to UK banks, building societies and PRA-designated investment firms with internal model approval, and sets out the regulator’s expectations regarding the model risk management (MRM) of those firms.
What is MRM and why is it important?
More generally, model risk refers to the possibility of negative outcomes resulting from errors in a model or the improper utilisation of a model’s outputs to guide business decisions. In recent years, advancements in machine learning, artificial intelligence and other analytics techniques, have resulted in more automated and complex risk management models with interconnected data structures and sources.
These complex models tend to expose firms to higher operational and financial risks than ever before, as firms are more likely to make business decisions that may result in financial losses and/or non-compliance with applicable laws or regulations, while damaging their reputation in the process.
Even though model risk cannot be entirely eliminated, it can certainly be mitigated through an effective MRM framework. As such, the PRA is now the latest regulator to lay its cards on the table in terms of how it expects UK firms to implement effective MRM principles.
The PRA’s expectations
The PRA has set out five high-level principles designed to cover all elements of a firm’s model lifecycle and which are intended, according to the PRA, to “support firms to strengthen their policies, procedures, and practices to identify, manage, and control the risks associated with the use of models”. The new principles apply to all types of models used by a firm, whether developed in-house or externally, including models used for general business and operational banking activities, for financial reporting purposes or for any other decision relevant to the sound operation of the firm.
The PRA’s five new principles are as follows:
Principle 1 – Model identification and model risk classification: Firms are expected to have a clear definition of what constitutes a ‘model’ within the firm, a thorough model inventory, and a risk-based model categorising system.
Principle 2 – Governance: A firm’s board of directors will be overall responsible for promoting a strong MRM culture within the firm, while an accountable senior management fucntion should be appointed to ensure the sound implementation of MRM practices within the firm. The firm’s internal policies and procedures must also reflect its MRM framework to ensure its consistent implementation, while internal audits should be undertaken regularly to assess the overall effectiveness of the MRM framework and its application.
Principle 3 – Model development, implementation and use: Firms are expected to establish robust model development processes with clear standards for model design, implementation, model selection and model performance. Additionally, various data and model outcomes testing should be conducted in order to identify any gaps or limitations within the firm’s models.
Principle 4 – Independent model validation: An independent validation team should carry out periodical reviews and report on the suitability of the firm’s models and their overall performance and implementation. This requirement is likely to result in an increased responsibility for internal or external audit teams.
Principle 5 – Model risk mitigants: The PRA expects firms to establish clearly defined metrics to assess its models and to develop practices on how to handle post-model adjustments.
Even though all of the five principles above apply equally to all PRA-regulated firms, it is important to note that the PRA calls for a proportionate implementation of the principles within each firm, giving consideration to their size, business activities, and the complexity and extent of their model use.
Immediate next steps and new obligations
Before SS1/23 comes into effect on 17 May 2024, firms must complete a self-assessment of their implemented MRM frameworks against the PRA’s new principles and, where necessary, prepare remediation plans to rectify any identified deficiencies.
Firms are expected to repeat a self-assessment at least annually thereafter, and must update their remediation plans based on the findings of each new self-assessment (if necessary).
Even though under SS1/23 firms are not expected to share all their self-assessments or remediation plans with the PRA, the PRA can still request these and therefore they should be completed with the mindset that they may be scrutinised by the regulator.
What does this mean for Fintechs?
As with all directly applicable regulatory updates, affected firms are likely going to look to flow down certain contractual provisions into their current and future contractual arrangements. We anticipate this will take the form of enhanced contractor reporting obligations and potential an expansion to firms audit rights.
Fintechs on the receiving end of such requests should ensure that any proposals from firms are reasonably justified in the context of SS1/23, and that these requests do not seek to shift applicable contractual risk/obligations without any regulatory necessity.
Is there anything else in the pipeline?
In October 2022, the Bank of England, the PRA, and the Financial Conduct Authority (FCA) published a discussion paper on Artificial Intelligence (AI) and Machine Learning (DP5/22). DP5/22 considers how key sectoral legal requirements and guidance apply to the use of AI in UK financial services.
The PRA, the Bank of England and the FCA are currently in the process of analysing the responses to DP5/22 and the PRA has stated that it willconsider the outcome of this analysis to inform any decisions on further policy actions – including with regards to MRM.
If you want to know more about how to navigate the current regulatory landscape, how to embed MRM policies and processes into your business, or how to ensure the requirements of MRM are covered off contractually, please get in touch with our team of Fintech specialists.
This article has been prepared for information purposes only. For specific queries, legal advice, or any further information, please contact us: email@example.com.