Office of the Superintendent of Financial Institutions
OSFI undertook a comparative assessment of guidance around model risk management processes in Pillar I and Pillar II capital guidelines and other guidelines where models are used by financial institutions. OSFI found several process commonalities but identified potential gaps in the Pillar II capital space. Based on those findings, OSFI began developing guidance to communicate expectations with respect to enterprise-wide model risk management.
From December 2016 to February 2017, OSFI consulted on this guideline as part of its domestic requirements for banks, foreign bank branches, bank holding companies, federally-regulated trust companies, and federally-regulated loan companies. At that time, OSFI proposed that this framework become effective on November 1, 2017 for both internal models approved institutions (IMAIs) and standardized institutions (SIs).
Reliance on models in management decision making is pervasive. Since models are approximations of reality, there is a risk of error in the process and choices of inputs, processing, measurement and interpretation of outputs. OSFI establishes expectations for model risk management in Pillar I regulatory capital models in its Capital Adequacy Requirements guideline. These are often laid out under headings such as qualitative requirements. OSFI recognizes that models may be used by institutions in the context of the internal capital adequacy assessment process; however, models are further used for valuation, margining, accounting expected loss provisioning and business decision-making purposes (such as credit adjudication models). All, to varying degrees, pose a risk of loss whether directly or indirectly through the damage to an institution’s reputation.
OSFI believes there is sufficient commonality in the general governance process intended to manage an institution’s model risk exposure to articulate its baseline expectations as institutions become increasingly sophisticated and more reliant on models.
OSFI’s objective is to issue comprehensive and clear guidance to institutions outlining common standards for enterprise-wide model risk management. This guidance aims to establish expectations for institutions as they become increasingly reliant on models, including processes around the identification and documentation of material models. In so doing, the implementation of this guidance will take into consideration the potential operational burden in relation to small and medium sized institutions which may have non-material reliance on models, or difficulties establishing mechanisms to effectively challenge the use of models.
Option 1 – Establish baseline expectations for model risk management in formal OSFI guidance
This option entails the creation of a guideline that would establish a common baseline understanding of OSFI’s expectations around the use of models enterprise-wide. This option also allows OSFI to articulate and apply proportionality principles to small and medium sized institutions that face a different set of challenges around the usage of models.
Option 2 – Make no changes – rely only on each individual guideline to communicate case specific model risk management expectations
The advantage of this option is that OSFI would not have to devote resources to producing its own guidance. However, institutions would be left without comprehensive guidance on OSFI’s expectations surrounding the use of models across the enterprise. Further, OSFI would need to consider revisions to pre-existing guidance where model risk management elements lack clarity. Institutions would need to be aware of expectations each time they applied a new model. This is inefficient for both institutions and OSFI as OSFI would be required to devote resources on an ongoing basis in order to respond to enquiries from the industry related to implementation issues that could be referenced to this guideline.
OSFI issued draft guideline E-23 for public consultation in December 2016. OSFI received comments from six stakeholders. A summary of material comments received from industry stakeholders and an explanation of how they have been addressed has been provided in the cover letter accompanying the final guideline.
OSFI is of the view that an Enterprise-Wide Model Risk Management guideline is the most appropriate option for ensuring that institutions have a baseline understanding of OSFI’s expectations related to an institution’s use of models. It is recommended that such a guideline be created to offer enhanced guidance on best practices in model risk management and to convey OSFI's expectations around the application of these requirements to institutions of different sizes and sophistication.
The final guideline will be effective November 1, 2017 for IMAIs. For SIs, the final guideline will be effective January 1, 2019. OSFI expects FRFIs to comply with all applicable requirements in the guideline as of those respective dates and will use supervisory judgement in addressing FRFIs' compliance. In the event that a FRFI transitions towards an IMAI designation then OSFI will communicate its higher model risk management compliance expectations over an appropriate timeline.