Office of the Superintendent of Financial Institutions
This guideline outlines OSFI's expectations for insurersFootnote 1 when establishing and maintaining an oversight framework with policies and procedures that identify, assess, and manage risks of internal models used to determine regulatory capital requirements in accordance with the OSFI Minimum Capital Test (MCT) guideline (internal model).
This guideline applies to insurers that have received approval to use an internal model.Footnote 2 An internal model developed by an insurer and used for determining MCT regulatory capital requirements captures the risks faced by the particular insurer more precisely than a non-customized standard approach. Insurer-specific elements of the model could include model inputs, model form, modeling technique or choice of parameters.
Insurers should satisfy the expectations of this guideline on an ongoing basis and demonstrate compliance upon request.Footnote 3
An insurer should align the oversight framework surrounding the use of internal models, as appropriate, within its broader corporate governance framework.Footnote 4 The model oversight framework should articulate, through policies and procedures, how the insurer identifies and manages internal model risk.
Internal model risk is the risk of adverse financial (e.g., capital, losses, revenue) and reputational consequences arising from the design, development, implementation and/or use of an internal model. It can originate from, among other things, inappropriate specifications; incorrect parameter estimates; flawed hypotheses and/or assumptions; mathematical computation errors; inaccurate, inappropriate or incomplete data; inappropriate, improper or unintended usage; and inadequate monitoring and/or controls.
OSFI expects the oversight framework to include, among other things:
The insurer should have an oversight framework that covers internal model data and each of the following internal model life cycle phasesFootnote 5: initial development or subsequent modification, objective vetting, approval or rejection, ongoing and objective validation, and decommissioning.
Insurers should document their internal model oversight framework. The documentation should include:
OSFI expects insurers with internal models to review and update their documentation on a regular basis so it is current, accurate and complete.
To assess that the policies and procedures established under the oversight framework are operating as intended, an insurer should implement a process to verify on an ongoing and periodic basis that tasks are completed in accordance with the policies and procedures, hereafter referred to as the Internal Model Risk Control (IMRC) process. An IMRC process should be established for both data risk and internal model risk.
The IMRC process to assess the appropriateness, accuracy, completeness and timeliness of the data used in the internal model should include:
The IMRC process to assess that the internal model risk policies and procedures are operating as intended should include the following elements:
As part of the IMRC process, an insurer should identify a person or a committee: the Risk Control Officer/Committee (RCO/C) who has the responsibility for the initial vetting that model control processes are effective and the ongoing objective validation that the internal model is working as intended. The RCO/C should be separate from both the business functions (e.g. underwriting and claims reserving) and the internal model development group.
In discharging its responsibilities, the RCO/C should challenge the model's appropriateness. The challenge function must be effective and must be able to elevate concerns to an appropriate level. The RCO/C should reside within the Canadian operations of the insurer and have sufficient authority and stature within the insurer to have any issues and deficiencies addressed in a timely and substantive manner. The RCO/C should report to an individual who is (a) separate from the business functions and the internal model development group, (b) not the model executiveFootnote 6, defined in section 126.96.36.199 below, and (c) a member of or have direct access to the Board of Directors or a committee thereof.
In discharging its vetting and validation responsibilities, the RCO/C can use the work of internal objective reviewers (e.g., at the parent or home office) and objective third party expert resources. An objective reviewer or expert should not be or have been responsible for or actively involved in developing, maintaining or using the internal model.
An insurer should subject each of the internal model life cycle phases to its IMRC process. The following describes elements that insurers should consider in each model phase.
Prior to the development or material modification of an internal model, the relevant business area (e.g., internal model users) should identify an economic or business rationale for developing a new or revised internal model. For all new internal models and material modifications, the insurer should document the modelling choices, the information/evidence and other considerations used in making the decision, including an assessment of the suitability of the selection in relation to the intended purpose.
After deciding to proceed with a new or revised internal model, an insurer should document the process it intends to follow for model development. This should serve as a control tool and will aid other parties, including the RCO/C, in understanding the internal model/ modification. This will help, for example, in the construction of suitable benchmarks for comparison or for vetting of the internal model. The documentation should include:
Insurers should articulate what constitutes a material internal model modification and establish a process for managing and documenting the modifications. This process should consider, for example: a series of controls governing authorizations to change internal model components; a record of validation sign-offs since the internal model inception; and a record of empirical test results to assess whether or not internal model results have changed. The process should identify the personnel permitted, or the authority needed, to make changes to the model. Change control and verification should prevent any divergence between the approved internal model and the one used in operation.
Modifications to an existing model may require OSFI approval before the insurer can use it to determine regulatory capital requirements.
Vetting is an objective review of the theory underlying the model, the model assumptions and inputs, and any software required to put the model into production. The RCO/C should vetFootnote 7 a new or materially revised (design or assumptions) internal model before it is used. The vetting process should constitute an effective challenge. It should also make an objective assessment on whether the internal model is sound and fit for its intended purposes. The vetting should review, among other things, the rationale and information supporting model development team's recommendation for model approval. The vetting process should also include:
When an insurer makes a material modification to an internal model, it should apply the same level of rigour to vetting the modification as that involved in vetting a new internal model.
The RCO/C should document the results from the internal model vetting process and make a separate objective recommendation for the approval/rejection of the model along with any conditions on usage.
Insurers should not approve internal models for operational use without first undergoing an objective vetting process.
Insurers should have a well-defined and documented process for approving/rejecting requests for the use of internal models, including the identification of a model executive. The model executive is the individual and/or committee responsible for assessing the RCO/C's findings and recommendations and making a decision regarding the approval, use and/or limitation of use of any new model or changes to pre-existing models.
The model executive should not be responsible for the development of the internal model. In addition, there should be a clear separation between the model executive and,
In its review, the model executive should assess the RCO/C's findings and recommendations and make a final determination with respect to the use and/or limitations of use of the new model or changes to the existing model.
With the passage of time, developments (e.g., changes to markets, regulations, theoretical advancements, and insurers' policies) can alter the level of risk of an internal model. An insurer's ongoing and objective validation should consider these developments, re-examine the level of internal model risk and determine whether the model continues to perform as intended.
Validation constitutes a review to monitor model performance to confirm that the model remains fit for use and it is producing valid results. The ongoing and objective validation processes should include actions such as:
Ongoing validation - Model users and developers are responsible for ongoing validation of the internal model.
Objective validation - The RCO/C is responsible for performing a periodic objective validation of the model. The RCO/C should determine whether all the prescribed steps in a particular process were performed and that the prescribed steps were performed properly, the model remains fit for use, the results were explained correctly and are consistent or contrasted with expectations, and that any tracked issues were addressed in a timely manner. In addition, the RCO/C should:
The RCO/C should document its findings and recommendations and report any disagreements to senior management, including the model executive. The insurer should have a process to track and assess the resolution of past RCO/C findings and recommendations.
An objective validation should occur at a frequency that is consistent with internal assessments of model risk materiality. However, objective validations should occur at least annually.
Insurers may decommission an internal model due to its poor performance or obsolescence.
Insurers should have policies and procedures, including documentation standardsFootnote 9, for decommissioning internal models. The process should include prior notification to OSFI and all other key stakeholders. Where it does not intend to replace a model, the insurer should document the reasons for not replacing the internal model.
The IMRC process documentation should provide evidence that the insurer is complying with its data and model risk control policies and procedures and the occurrence of any exceptions/findings along with the actions being taken to correct deficiencies, if any.
IMRC documentation may include:
Internal audit is an objective function within an insurer. It should promote effective internal model risk oversight and control. OSFI expects that insurers will establish general and specific requirements with respect to the periodic review of internal model oversight to assess compliance with established policies and procedures. To remain objective, individuals conducting the review and making the assessment should not have been involved in internal model development, its objective vetting/validation or use.
Internal audit should assess the overall adequacy of the model oversight framework, including its compliance with the data and model control policies and procedures, as well as the effectiveness of the IMRC process. The internal audit review and assessment should include:
- END -
For the purposes of this guideline, insurers refers to federally regulated property and casualty insurance companies that are not mortgage insurance companies and Canadian branches of foreign property and casualty insurance companies.
Return to footnote 1
This guideline does not apply to third party earthquake models used for regulatory capital purposes or to internal models used for other than regulatory capital purposes.
Return to footnote 2
Failure to satisfy these expectations on an ongoing basis may result in supervisory action, which could include a temporary requirement to hold additional capital or withdrawal of approval to use an internal model. The withdrawal of approval would require the insurer to use (revert to) the standard approach for determining its regulatory capital requirements.
Return to footnote 3
OSFI's Corporate Governance Guideline articulates OSFI's principles and expectations with respect to corporate governance of institutions.
Return to footnote 4
An insurer's model process may have additional phases or sub-phases, wherein some of the expected policies and procedures may apply.
Return to footnote 5
Depending on the size and the complexity of the insurer, it may be acceptable for an insurer to combine the role of model executive and the RCO/C as long as there is no potential conflict of interest and objectivity is maintained.
Return to footnote 6
For the purposes of this guideline, we distinguish the expression "vetting" from "validation". We use vetting to identify a discrete activity, occurring as a pre-defined step in a process (e.g., the creation of a new internal model or the making of material modifications of an existing internal model). In contrast, validation is an ongoing monitoring activity (e.g., ongoing assessment of model performance or related user processes).
Return to footnote 7
Return to footnote 8
Documentation should be available at the time of model decommission.
Return to footnote 9