Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements

Published date12 April 2021
Citation86 FR 18978
Record Number2021-07428
SectionNotices
CourtFederal Deposit Insurance Corporation,Federal Reserve Board,Financial Crimes Enforcement Network,National Credit Union Administration,The Comptroller Of The Currency Office,Federal Reserve System
Federal Register, Volume 86 Issue 68 (Monday, April 12, 2021)
[Federal Register Volume 86, Number 68 (Monday, April 12, 2021)]
                [Notices]
                [Pages 18978-18982]
                From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
                [FR Doc No: 2021-07428]
                [[Page 18978]]
                =======================================================================
                -----------------------------------------------------------------------
                DEPARTMENT OF THE TREASURY
                Office of the Comptroller of the Currency
                [Docket No. OCC-2020-0047]
                FEDERAL RESERVE BOARD
                [Docket No. OP-1744]
                FEDERAL DEPOSIT INSURANCE CORPORATION
                RIN 3064-ZA23
                NATIONAL CREDIT UNION ADMINISTRATION
                [Docket No. NCUA-2021-0007]
                RIN 3133-AF33
                DEPARTMENT OF THE TREASURY
                Financial Crimes Enforcement Network
                [Docket No. FINCEN-2021-0004]
                Request for Information and Comment: Extent to Which Model Risk
                Management Principles Support Compliance With Bank Secrecy Act/Anti-
                Money Laundering and Office of Foreign Assets Control Requirements
                AGENCY: Office of the Comptroller of the Currency (OCC), Board of
                Governors of the Federal Reserve System (Board), Federal Deposit
                Insurance Corporation (FDIC), National Credit Union Administration
                (NCUA), and Financial Crimes Enforcement Network (FinCEN).\1\
                ---------------------------------------------------------------------------
                 \1\ This Request for Information primarily focuses on the
                institutions supervised by the Board, FDIC, NCUA, and OCC. FinCEN's
                BSA regulations apply to a broader group of financial institutions
                and any information submitted by financial institutions other than
                banks will be collected on behalf of FinCEN.
                ACTION: Notice and request for information and comment.
                -----------------------------------------------------------------------
                SUMMARY: The OCC, Board, FDIC, NCUA, and FinCEN (collectively, the
                agencies), seek information and comment from interested parties on the
                extent to which the principles discussed in the interagency Supervisory
                Guidance on Model Risk Management (referred to as the ``model risk
                management guidance,'' or MRMG) support compliance by banks with Bank
                Secrecy Act/anti-money laundering (BSA/AML) and Office of Foreign
                Assets Control (OFAC) requirements. The agencies seek this information
                to enhance their understanding of bank practices in these areas and
                determine whether additional explanation or clarification may increase
                transparency, effectiveness, or efficiency. The OCC, Board, and FDIC,
                in consultation with NCUA and FinCEN, are concurrently issuing a
                statement to clarify that the risk management principles discussed in
                the MRMG are appropriate considerations in the context of the BSA/AML
                statutory and regulatory requirements.
                DATES: Comments must be received by June 11, 2021.
                ADDRESSES: Interested parties are invited to submit written comments
                to:
                 OCC: Commenters are encouraged to submit comments through the
                Federal eRulemaking Portal. Please use the title ``Request for
                Information and Comment: Extent to Which Model Risk Management
                Principles Support Compliance with Bank Secrecy Act/Anti-Money
                Laundering and Office of Foreign Assets Control Requirements'' to
                facilitate the organization and distribution of the comments. You may
                submit comments by any of the following methods:
                 Federal eRulemaking Portal--Regulations.gov: Go to https://regulations.gov/. Enter ``Docket ID OCC-2020-0047'' in the Search Box
                and click ``Search.'' Public comments can be submitted via the
                ``Comment'' box below the displayed document information or by clicking
                on the document title and then clicking the ``Comment'' box on the top-
                left side of the screen. For help with submitting effective comments
                please click on ``Commenter's Checklist.'' For assistance with the
                Regulations.gov site, please call (877) 378-5457 (toll free) or (703)
                454-9859 Monday-Friday, 9 a.m.-5 p.m. ET or email
                [email protected].
                 Mail: Chief Counsel's Office, Attention: Comment
                Processing, Office of the Comptroller of the Currency, 400 7th Street
                SW, Suite 3E-218, Washington, DC 20219.
                 Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218,
                Washington, DC 20219.
                 Instructions: You must include ``OCC'' as the agency name and
                ``Docket ID OCC-2020-0047'' in your comment. In general, the OCC will
                enter all comments received into the docket and publish the comments on
                the Regulations.gov website without change, including any business or
                personal information provided such as name and address information,
                email addresses, or phone numbers. Comments received, including
                attachments and other supporting materials, are part of the public
                record and subject to public disclosure. Do not include any information
                in your comment or supporting materials that you consider confidential
                or inappropriate for public disclosure.
                 You may review comments and other related materials that pertain to
                this action by the following method:
                 Viewing Comments Electronically--Regulations.gov: Go to
                https://regulations.gov/. Enter ``Docket ID OCC-2020-0047'' in the
                Search Box and click ``Search.'' Click on the ``Documents'' tab and
                then the document's title. After clicking the document's title, click
                the ``Browse Comments'' tab. Comments can be viewed and filtered by
                clicking on the ``Sort By'' drop-down on the right side of the screen
                or the ``Refine Results'' options on the left side of the screen.
                Supporting materials can be viewed by clicking on the ``Documents'' tab
                and filtered by clicking on the ``Sort By'' drop-down on the right side
                of the screen or the ``Refine Documents Results'' options on the left
                side of the screen.'' For assistance with the Regulations.gov site,
                please call (877) 378-5457 (toll free) or (703) 454-9859 Monday-Friday,
                9 a.m.-5 p.m. ET or email [email protected].
                 The docket may be viewed after the close of the comment period in
                the same manner as during the comment period.
                 Board: You may submit comments, identified by Docket No. OP-1744 by
                any of the following methods:
                 Agency Website: http://www.federalreserve.gov. Follow the
                instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
                 Email: [email protected]. Include the
                docket number in the subject line of the message.
                 Fax: (202) 452-3819 or (202) 452-3102.
                 Mail: Ann Misback, Secretary, Board of Governors of the
                Federal Reserve System, 20th Street and Constitution Avenue NW,
                Washington, DC 20551.
                 All public comments will be made available on the Board's
                website at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, unless modified for technical reasons or
                to remove personally identifiable information at the commenter's
                request. Accordingly, your comments will not be edited to remove any
                identifying or contact information. Public comments may also be viewed
                electronically or in paper in Room 146, 1709 New York Avenue NW,
                Washington, DC 20006, between 9:00 a.m. and 5:00 p.m. on weekdays.
                 FDIC: You may submit comments on the request for information and
                [[Page 18979]]
                comment using any of the following methods:
                 Agency Website: https://www.fdic.gov/regulations/laws/federal/. Follow the instructions for submitting comments on the
                agency's website.
                 Email: [email protected]. Include RIN 3064-ZA23 in the
                subject line of the message.
                 Mail: James P. Sheesley, Assistant Executive Secretary,
                Attention: Comments--RIN 3064-ZA23, Federal Deposit Insurance
                Corporation, 550 17th Street NW, Washington, DC 20429.
                 Hand Delivery/Courier: Comments may be hand-delivered to
                the guard station at the rear of the 550 17th Street NW building
                (located on F Street) on business days between 7:00 a.m. and 5:00 p.m.
                 Public Inspection: All public comments received, including
                any personal information provided, will be posted generally without
                change to https://www.fdic.gov/regulations/laws/federal/.
                 NCUA: You may submit comments to the NCUA, Docket No. NCUA-2021-
                0007, by any of the methods set forth below. Commenters are encouraged
                to submit comments through the Federal eRulemaking Portal, if possible.
                Please use the title ``Request for Information and Comment: Extent to
                Which Model Risk Management Principles Support Compliance with Bank
                Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control
                Requirements'' to facilitate the organization and distribution of the
                comments. (Please send comments by one method only):
                 Federal eRulemaking Portal-- www.regulations.gov. Follow
                the instructions for submitting comments.
                 Fax: (703) 518-6319.
                 Mail: Address to Melane Conyers-Ausbrooks, Secretary of
                the Board, National Credit Union Administration, 1775 Duke Street,
                Alexandria, VA 22314-3428.
                 In general, the NCUA will enter all comments received into the
                docket and publish the comments on the Regulations.gov website without
                change, including any business or personal information that you provide
                such as name and address information, email addresses, or phone
                numbers. Comments received, including attachments and other supporting
                materials, are part of the public record and subject to public
                disclosure. Do not include any information in your comment or
                supporting materials that you consider confidential or inappropriate
                for public disclosure.
                 You may review comments and other related materials that pertain to
                this Request for Information and comment by any of the following
                methods:
                 Viewing Comments Electronically: You may view all public
                comments on the Federal eRulemaking Portal at http://www.regulations.gov as submitted, except for those NCUA cannot post for
                technical reasons.
                 Due to social distancing measures in effect, the usual
                opportunity to inspect paper copies of comments in the NCUA's law
                library is not currently available. After social distancing measures
                are relaxed, visitors may make an appointment to review paper copies by
                calling (703) 518-6540 or emailing [email protected].
                 FinCEN: Comments may be submitted by any of the following methods:
                 Federal E-rulemaking Portal: http://www.regulations.gov.
                Follow the instructions for submitting comments. Refer to Docket Number
                FINCEN-2021-0004.
                 Mail: Policy Division, Financial Crimes Enforcement
                Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
                2021-0004.
                 Please submit comments by one method only. Comments submitted in
                response to this Request for Information and Comment will become a
                matter of public record. Therefore, you should submit only information
                that you wish to make publicly available.
                FOR FURTHER INFORMATION CONTACT:
                 OCC: James Vivenzio, BSA/AML Policy Director, (202) 649-5470; Jina
                Cheon, Counsel; or Henry Barkhausen, Counsel, Chief Counsel's Office,
                (202) 649-5490, Office of the Comptroller of the Currency, 400 7th
                Street SW, Washington, DC 20219
                 Board: Suzanne Williams, Deputy Associate Director, Specialized
                Policy; Koko Ives, Manager, BSA/AML Risk, (202) 973-6163; Lee Davis,
                Lead Financial Institution Policy Analyst, (202) 912-4350, Division of
                Supervision and Regulation; Jason Gonzalez, Assistant General Counsel,
                (202) 452-3275; Bernard Kim, Senior Counsel, (202) 452-3083, Legal
                Division, Board of Governors of the Federal Reserve System, 20th and C
                Streets NW, Washington, DC 20551.
                 FDIC: Lisa Arquette, Associate Director, (202) 898-3673,
                [email protected], Division of Risk Management Supervision; Jennifer
                Maree, Counsel, (202) 898-6543, [email protected], Legal Division.
                 NCUA: Timothy Segerson, Deputy Director; Andrew Bludorn, Bank
                Secrecy Act Officer, Office of Examination & Insurance, or Ian Marenna,
                Associate General Counsel; Chrisanthy Loizos, Senior Trial Attorney,
                Office of General Counsel, at 1775 Duke Street, Alexandria, VA 22314 or
                telephone: (703) 518-6300 or (703) 518-6540.
                 FinCEN: The FinCEN Regulatory Support Section at 1-800-767-2825 or
                electronically at [email protected].
                SUPPLEMENTARY INFORMATION:
                I. Background
                 The sound risk management principles discussed in the MRMG \2\ are
                important considerations for the development and management of systems
                used by banks \3\ to assist in complying with the requirements of the
                BSA/AML laws and regulations. Whether a bank characterizes a BSA/AML
                system \4\ (or portions of that system) as a model, a tool, or an
                application, risk management of these systems should be consistent with
                safety and soundness principles,\5\ and the system should promote
                compliance with applicable laws and regulations. The MRMG is premised
                upon sound risk management and governance principles, several of which
                are referenced in that guidance, such as adequate governance,
                development, documentation, testing, performance monitoring,
                validation, and effective challenge.
                ---------------------------------------------------------------------------
                 \2\ Refer to the ``Supervisory Guidance on Model Risk
                Management,'' Federal Reserve Supervision and Regulation Letter 11-
                7, https://www.federalreserve.gov/supervisionreg/srletters/srletters.htm; OCC Bulletin 2011-12, https://www.occ.gov/news-issuances/bulletins/2011/bulletin-2011-12.html; and FDIC Financial
                Institution Letter-22-2017, https://www.fdic.gov/news/financial-institution-letters/2017/fil17022.html.
                 \3\ The MRMG does not apply to credit unions, as it was not
                issued by the NCUA. As used in this Request for Information,
                however, the term ``bank'' includes each agent, agency, branch, or
                office within the United States of banks, credit unions, savings
                associations, and foreign banks as defined in Bank Secrecy Act
                regulations at 31 CFR 1010.100(d).
                 \4\ In the BSA/AML context, the term ``system'' includes a
                bank's policies, procedures, or processes to identify, research and
                report unusual activity, typically known as suspicious activity
                monitoring and reporting systems, and are critical internal controls
                for ensuring an effective BSA/AML compliance program.
                 \5\ Refer to the Interagency Guidelines Establishing Standards
                for Safety and Soundness, 12 CFR 208, Appendix D-1 (Federal
                Reserve); 12 CFR 364, Appendix A (FDIC); and 12 CFR 30, Appendix A
                (OCC).
                ---------------------------------------------------------------------------
                 Stakeholders within the banking industry have questioned how the
                risk management principles described in the MRMG relate to systems or
                models used to comply with BSA/AML laws and regulations. The OCC,
                Board, and FDIC, in consultation with NCUA and FinCEN, are concurrently
                issuing a statement with this Request for Information (RFI) to clarify
                that
                [[Page 18980]]
                regardless of how a BSA/AML system is characterized, sound risk
                management is important, and banks may use the principles discussed in
                the MRMG to establish, implement, and maintain their risk management
                framework.
                 In this RFI, the agencies seek comments and information from
                interested parties on the extent to which the principles discussed in
                the MRMG support compliance by banks with BSA/AML laws and regulations.
                This RFI also seeks feedback on the extent to which the MRMG principles
                support compliance by banks related to models and systems used in
                connection with OFAC requirements. The agencies seek this information
                to enhance their understanding of bank practices in these areas and
                determine whether additional explanation or clarification may increase
                transparency, effectiveness, or efficiency.
                BSA Requirements
                 The BSA \6\ is intended to safeguard the U.S. financial system and
                the financial institutions that make up that system from the abuses of
                financial crime, including money laundering, terrorist financing, and
                other illicit financial activity.
                ---------------------------------------------------------------------------
                 \6\ 31 CFR 1010.100(e).
                ---------------------------------------------------------------------------
                 FinCEN, a bureau of the U.S. Department of the Treasury, is the
                delegated administrator of the BSA. In this capacity, FinCEN issues
                regulations and interpretive guidance, provides outreach to regulated
                industries, supports examinations, and pursues civil enforcement
                actions when warranted. FinCEN relies on the Board, FDIC, NCUA and OCC
                (the ``federal banking agencies'') to examine banks \7\ within their
                respective jurisdictions for compliance with the BSA.
                ---------------------------------------------------------------------------
                 \7\ The term ``bank'' is used here as in Bank Secrecy Act
                regulations at 31 CFR 1010.100(d).
                ---------------------------------------------------------------------------
                 The federal banking agencies are responsible for the oversight of
                the various banking entities operating in the United States, including
                U.S. branches and agencies of foreign banks. The federal banking
                agencies' regulations require each bank under their supervision to
                establish and maintain a BSA compliance program, as does the BSA
                itself.\8\ At a minimum, the BSA/AML compliance program must include:
                ---------------------------------------------------------------------------
                 \8\ 12 CFR 21.21 (OCC), 12 CFR 208.63, 12 CFR 211.5(m) and 12
                CFR 211.24(j) (Board); 12 CFR 326.8 (FDIC); 12 CFR 748.2(b) (NCUA).
                As set forth in 31 CFR 1020.210 (FinCEN), a bank regulated by one of
                the federal functional regulators is deemed to have satisfied
                FinCEN's AML program requirements if the bank develops and maintains
                a BSA compliance program that complies with the regulation of its
                federal functional regulator governing such programs.
                ---------------------------------------------------------------------------
                 Internal controls to assure ongoing compliance;
                 Independent testing for compliance;
                 Designation of an individual or individuals, also referred
                to as the BSA/AML compliance officer(s), responsible for coordinating
                and monitoring day-to-day compliance; and
                 Training for appropriate personnel.
                 A bank also has requirements related to suspicious activity
                reporting,\9\ customer identification,\10\ customer due diligence, and
                beneficial ownership.\11\ BSA/AML systems are often used to assist the
                bank in meeting these requirements.
                ---------------------------------------------------------------------------
                 \9\ 12 CFR 21.11 and 12 CFR 163.180(d) (OCC); 12 CFR 208.62, 12
                CFR 211.5(k), 12 CFR 211.24(f)), and 12 CFR 225.4(f) (Board); 12 CFR
                353 (FDIC); 12 CFR 748.1(c) (NCUA); and 31 CFR 1020.320 (FinCEN).
                 \10\ 12 CFR 21.21(c)(2) (OCC); 12 CFR 208.63(b)(2), 211.5(m)(2),
                and 211.24(j)(2) (Board); 12 CFR 326.8(b)(2) (FDIC); 12 CFR
                748.2(b)(2) (NCUA); and 31 CFR 1020.220 (FinCEN).
                 \11\ 31 CFR 1020.210(a)(2)(v) and 31 CFR 1010.230.
                ---------------------------------------------------------------------------
                Office of Foreign Assets Control Requirements
                 OFAC is an office of the U.S. Department of the Treasury that
                administers and enforces economic and trade sanctions based on U.S.
                foreign policy and national security goals against targeted foreign
                countries, terrorists, international narcotics traffickers, and those
                engaged in activities related to the proliferation of weapons of mass
                destruction. OFAC acts under the President's wartime and national
                emergency powers, as well as under authority granted by specific
                legislation, to impose controls on transactions and freeze assets under
                U.S. jurisdiction.
                 All U.S. persons, including U.S. banks, bank holding companies, and
                nonbank subsidiaries, must comply with OFAC's regulations. OFAC-issued
                regulations apply not only to U.S. banks but also to their foreign
                branches and overseas offices and often to subsidiaries. OFAC
                encourages banks to take a risk-based approach to designing and
                implementing an OFAC compliance program.\12\ In general, the sanctions
                programs that OFAC administers require banks to do the following:
                ---------------------------------------------------------------------------
                 \12\ Framework for OFAC Compliance Commitments. See, https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
                ---------------------------------------------------------------------------
                 Block accounts and other property of specified countries,
                entities, and individuals.
                 Prohibit or reject unlicensed trade and financial
                transactions with specified countries, entities, and individuals.
                 Report blocked property and rejected transactions to OFAC.
                Model Risk Management Guidance
                 On April 4, 2011, the Board and the OCC issued guidance for banks
                subject to their supervision on effective model risk management (MRM).
                The FDIC subsequently adopted this guidance in 2017.
                 Consistent with the federal banking agencies' support of safe and
                sound banking principles, the MRMG lays out principles for sound MRM in
                three key areas: (1) Model development, implementation, and use; (2)
                model validation; and (3) governance, policies, and controls. The
                guidance describes different MRM responsibilities for different parties
                within a bank, based on their roles, including those building the
                models, those independently reviewing the models, and those providing a
                governance framework for MRM.
                 Concurrently with the publication of this RFI, the OCC, Board, and
                FDIC, in consultation with NCUA and FinCEN, have published an
                ``Interagency Statement on Model Risk Management for Bank Systems
                Supporting Bank Secrecy Act/Anti-Money Laundering Compliance.'' The
                MRMG principles provide flexibility for banks in developing,
                implementing, and updating models. Banks may use some or all of the
                principles in their risk management processes to support meeting the
                regulatory requirements of an effective BSA/AML compliance program. The
                questions posed in this RFI complement the statement and the agencies
                ask commenters to consider the two documents in conjunction with each
                other.
                II. Request for Information Overview
                 This RFI seeks information and comment on any aspects of the
                relationship between BSA/AML and OFAC compliance and the principles
                conveyed in the MRMG, including how those principles may support
                compliance and any differences in perceptions regarding their
                application. This RFI also asks for responses to specific questions
                outlined below.
                Suggested Topics for Commenters
                 To allow the agencies to evaluate suggestions more effectively, the
                agencies request that, where possible, comments include:
                 Specific discussion of any suggested changes to guidance
                or regulation, including, in as much detail as possible, the nature of
                the requested change and supporting data or other information on
                impacts, costs, and benefits.
                 Specific identification of any aspects of the agencies'
                approach to
                [[Page 18981]]
                BSA/AML and OFAC compliance as it relates to MRMG that are working well
                and those that could be improved, including, in as much detail as
                possible, supporting data or other information on impacts, costs, and
                benefits.
                 The following sections list areas of interest on which commenters
                may want to focus. This list is meant to assist in the formulation of
                comments and is not intended to restrict what may be addressed by the
                public. Commenters may also address matters related to BSA/AML or OFAC
                compliance and the principles conveyed in the MRMG that do not appear
                in the list below. The agencies request that, in addressing these
                questions, commenters identify issues in as much detail as possible and
                provide specific examples where appropriate. Commenters are requested
                to comment on some or all of the questions below and are encouraged to
                indicate in which area your comments are focused. The agencies request
                that commenters providing suggestions note their highest priorities,
                where possible, along with an explanation of how or why certain
                suggestions have been prioritized.
                 The term ``BSA/AML and OFAC models'' is used in the questions below
                to describe BSA/AML or OFAC compliance systems that a bank considers
                models, so its interpretation could vary from bank to bank. When
                providing feedback, please note that the MRMG principles provide
                flexibility for banks in developing, implementing, and updating models.
                The extent and nature of model risk varies across models and banks, and
                a bank's risk management framework is most appropriately tailored when
                it is commensurate with the nature and materiality of the risk. The
                agencies are interested in gathering information about industry
                practices and welcome responses regarding individual banks, as well as
                common industry practices.
                 1. What types of systems do banks employ to support BSA/AML and
                OFAC compliance that they consider models (e.g., automated account/
                transaction monitoring, interdiction, customer risk rating/scoring)?
                What types of methodologies or technologies do these systems use (e.g.,
                judgment-based, artificial intelligence or machine learning, or
                statistical methodologies or technologies)?
                 2. To what extent are banks' BSA/AML and OFAC models subject to
                separate internal oversight for MRM in addition to the normal BSA/AML
                or OFAC compliance requirements? What additional procedures do banks
                have for BSA and OFAC models beyond BSA/AML or OFAC compliance
                requirements?
                 3. To what extent do banks have policies and procedures, either
                specific to BSA/AML and OFAC models or applicable to models generally,
                governing the validation of BSA/AML and OFAC models, including, but not
                limited to, the validation frequency, minimum standards, and areas of
                coverage (i.e., which scenarios, thresholds, or components of the model
                to cover)?
                 4. To what extent are the risk management principles discussed in
                the MRMG appropriate for BSA/AML and OFAC models? Please explain why
                certain principles may be more or less appropriate for bank operations
                of varying size and complexity? Are there other principles not
                discussed in the MRMG that would be appropriate for banks to consider?
                 5. Some bankers have reported that banks' application of MRM to
                BSA/AML and OFAC models has resulted in substantial delays in
                implementing, updating, and improving systems. Please describe any
                factors that might create such delays, including specific examples.\13\
                ---------------------------------------------------------------------------
                 \13\ The MRMG recognizes that banks assess different models in
                different ways: ``The nature of testing and analysis will depend on
                the type of model and will be judged by different criteria depending
                on the context.''
                ---------------------------------------------------------------------------
                 6. Some bankers have reported that banks' application of MRM to
                BSA/AML and OFAC models has been an impediment to developing and
                implementing more innovative and effective approaches to BSA/AML and
                OFAC compliance. Do banks consider MRM relative to BSA/AML an
                impediment to innovation? If yes, please describe the factors that
                create the impediments, including specific examples.\14\
                ---------------------------------------------------------------------------
                 \14\ In the MRMG, a key determinant of the extent of validation
                activities is ``materiality.'' Banks may choose to implement less
                material changes to models without revalidation.
                ---------------------------------------------------------------------------
                 7. To what extent do banks' MRM frameworks include testing and
                validation processes that are more extensive than reviews conducted to
                meet the independent testing requirement of the BSA? Please explain.
                 8. To what extent do banks use an outside party to perform
                validations of BSA/AML and OFAC compliance systems? Does the validation
                only include BSA/AML and OFAC models, as opposed to other types of
                models used by the banks? Why are outside parties used to perform
                validation? \15\
                ---------------------------------------------------------------------------
                 \15\ The decision to use an outside party is entirely the bank's
                own, in accordance with the bank's third-party risk management and
                model risk management requirements.
                ---------------------------------------------------------------------------
                 9. To what extent do banks employ internally developed BSA/AML or
                OFAC compliance systems, third-party systems, or both? What challenges
                arise with such systems considering the principles discussed in the
                MRMG? Are there challenges that are unique to any one of these systems?
                 10. To what extent do banks' MRM frameworks apply to all models,
                including BSA/AML and OFAC models? Why or why not?
                 11. Specific to suspicious activity monitoring systems, the
                agencies are gathering information about industry practices. The
                agencies welcome responses to the following, regarding individual bank
                and common industry practices.
                 a. Suspicious activity monitoring system validation:
                 i. To what extent do banks validate such systems before
                implementation?
                 ii. Are banks able to implement changes without fully validating
                such systems? If so, please describe the circumstances.
                 iii. How frequently do banks validate after implementation?
                 iv. To what extent do banks validate after implementing changes to
                existing systems (e.g., new scenarios, threshold changes, or adding/
                changing customer peers or segments)? Please describe the circumstances
                in which you think this would be appropriate.
                 v. How do banks validate such systems?
                 vi. What, if any, compensating controls do banks use if they have
                not had an opportunity to validate such systems?
                 b. Suspicious activity monitoring system benchmarking: What, if
                any, external or internal data or models do banks use to compare their
                suspicious activity systems' inputs and outputs for purposes of
                benchmarking?
                 c. Suspicious activity monitoring system back-testing: How do banks
                attempt to compare outcomes from suspicious activity systems with
                actual outcomes, given that law enforcement outcomes are often unknown?
                 d. Suspicious activity monitoring system sensitivity analysis: How
                do banks check the impact of changes to inputs, assumptions, or other
                factors in their systems to ensure they fall within an expected range?
                 12. To what extent do banks calibrate the scope and frequency of
                MRM testing and validation for BSA/AML and OFAC
                [[Page 18982]]
                models based on their materiality? How do they do so?
                Blake J. Paulson,
                Acting Comptroller of the Currency.
                 By order of the Board of Governors of the Federal Reserve
                System.
                Ann Misback,
                Secretary of the Board.
                Federal Deposit Insurance Corporation.
                 Dated at Washington, DC, on or about January 22, 2021.
                Debra A. Decker,
                Deputy Executive Secretary.
                Melane Conyers-Ausbrooks,
                Secretary of the Board, National Credit Union Administration.
                AnnaLou Tirol,
                Deputy Director, Financial Crimes Enforcement Network.
                [FR Doc. 2021-07428 Filed 4-9-21; 8:45 am]
                BILLING CODE 6210-01-P; 6705-01-P; 4810-33-P
                

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT