FDIC Guidance: Model Risk Management of Third-party Vendors
FDIC-regulated banks with more than $1 billion in assets and those that use a model that is “significant, complex, or poses elevated risk to the institution” will be subject to the Supervisory Guidance on Model Risk Management, the same guidance already followed by the Fed and the OCC.
Models are already subject to safety and soundness standards, but FIL-22-2017 defines models as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.” This goes well beyond simple mathematical calculations, and an FI’s approach will be influenced by its risk exposure, complexity and model usage.
It’s not just FI models that fall under the guidance. Many FIs depend on vendor-supplied models, which require management to limit risk. The guidance frequently mentions third-party vendors, addressing them within each element of risk model management, including:
- Model development, implementation and use. Third-party data should be accurate and relevant.
- Model validation. Proprietary components can make validating vendor models especially challenging. To justify their decision to use a vendor, an FI needs “developmental evidence” from a vendor to explain how its model was designed and should work. The vendor should also provide the results of tests and ongoing performance analysis. FIs need to know whether the data its vendor is using is appropriate and assess the vendor’s model results by using benchmarks, including the FIs own outcomes. There needs to be contingency plans if the vendor is unable to perform modeling.
- Governance, policies and controls. There should be policies for deciding on a vendor model and for validating vendor models and third-party products. Third-party approaches should be documented.
Models are never perfect, and that’s why they introduce risk. That risk can be further amplified if an FI doesn’t understand where and how a vendor creates a model or what kind of data it’s using. When conducting vendor management, don’t forget to protect your institution with proper model risk management.