Blog: FHFA Releases Supplemental Model Risk Guidance – Financial … – Mondaq

To print this article, all you need is to be registered or login on Mondaq.com.

On December 21, 2022, the US Federal Housing Finance Agency
(“FHFA”) issued Advisory Bulletin 2022-03
(“Advisory Bulletin” or “Guidance”) to
provide the entities it regulates with supplemental guidance
pertaining to model risk management.1 The Guidance
supplements a 2013 advisory bulletin published by FHFA on the same
topic. While this supplemental Guidance applies only to Fannie Mae,
Freddie Mac, the Federal Home Loan Banks (“FHLBanks”),
and the Office of Finance (collectively, the “regulated
entities”),2 other entities may look to the
FHFA’s Guidance to identify developing trends and best
practices for managing model risk.

In this Legal Update, we highlight certain aspects of the
Advisory Bulletin that are intended to address gaps in the
FHFA’s existing guidance due to changes in model-related
technologies in the mortgage industry.

BACKGROUND

In November 2013, the FHFA issued model risk management guidance
articulating its supervisory expectations for model risk management
and outlining the framework of baseline control and governance
requirements.3 Since the issuance of that guidance,
technology has evolved, and new issues have developed in the use of
models and oversight of model risk, including the increasing
adoption of cloud technology and artificial intelligence/machine
learning techniques. The FHFA also notes that the FHLBanks’
use of models continues to increase, including both models
developed internally as well as those developed externally by
sophisticated vendors. Thus, the issuance of this supplemental
Guidance is intended to build upon the 2013 advisory bulletin and
provide a more comprehensive representation of the scope of
supervisory expectations in this specific subset of operational
risk management.

CERTAIN KEY ASPECTS OF THE UPDATED GUIDANCE

Model Risk Management Framework

As with previous model risk management guidance issued by the
FHFA, the agency acknowledges that there may be differing degrees
of risk depending on the size and complexity of the regulated
entity.

The FHFA indicates that it has observed an increase in the
adoption of certain technologies used in the mortgage industry
since the issuance of the agency’s 2013 model risk management
guidance. Many of these technologies, such as cloud servers, vendor
models, and external data, reside externally to the regulated
entities and are largely outside of the regulated entities’
control. As a result, the FHFA expects that regulated entities will
take a “macro-prudential” view to determine their
systemic dependencies and interconnections by mapping out external
dependencies to significant internal systems. The Guidance
instructs the regulated entities to take inventory of any key
dependencies on externally sourced technologies and have senior
management regularly update and review this inventory to present to
the board of directors, as deemed appropriate.

Model Validation Program

Use of Third Parties – The
Advisory Bulletin suggests that regulated entities can use
third-party reviewers to complete independent model validations.
However, according to this supplemental Guidance, a regulated
entity’s model validation group remains accountable for the
quality, recommendations, and opinions of any third-party
reviewers. Accountability here will look like implementing model
risk management policies and practices that align the
vendor-completed specific standards for an independent validation
with the specific standards included in FHFA’s 2013
guidance.

“Effective Challenge”
– The supplemental Guidance states that model risk management
policies should include acceptable practices for the
“effective challenge” of models. In order for a
practice to be deemed an “effective challenge,” parties
that are independent and informed shall identify model limitations,
evaluate assumptions, and recommend appropriate changes. The FHFA
evaluates the efficacy of an effective challenge by assessing a
combination of incentives, competence, and influence, which can
require, for example, that regulated entities invest human capital
resources in qualified personnel and ensure the distinct separation
of the model challenge process from the model development
process.

The supplemental Guidance indicates that senior levels of
management should give those responsible for effective challenge
processes explicit authority, support, and stature within the
organization. This can be viewed as part of an organization’s
risk culture and reflects the importance of structural risk
controls.

End-User Computing Tools – When
deciding if an end-user computing tool (“EUC”) or
calculator should be classified as a model, and therefore be
subject to the FHFA’s model risk management guidance, the
supplemental Guidance indicates that the FHFA will look at the
increased complexity of and reliance on EUCs and calculators to
carry out critical financial operations. This increased reliance
demonstrates an increased potential for risk. A regulated entity
should therefore classify a significant or important EUC,
calculator, or other data generating process as a model if it (1)
feeds into or out of a model; (2) makes assumptions; and/or (3)
incorporates thresholds or quantitative methodologies.

Under the supplemental Guidance, integrated EUCs, calculators,
and processes should be treated as models subject to model
validations and governance in accordance with the frequency and
rigor outlined in the regulated entity’s model risk
management policies and procedures, when applicable. This reflects
a broader trend of comprehensively inventorying model-like
processes within banking organizations, extending even to processes
that are designed and operating in a manner that is less formal
than typical modelling practices.

Model Control Framework

On-Top Adjustments – The FHFA is
aware that regulated entities will periodically make on-top
adjustments, at the component level or to the overall result of
model outputs, in order to produce more accurate results. As a
result of these adjustments, regulated entities are instructed to
develop and document a clear and transparent process for
determining (1) when on-top adjustments to models are needed; (2)
how the adjustments will be applied; and (3) the length of time for
having these adjustments in place before finding a permanent
solution.

The supplemental Guidance indicates that the FHFA will not
accept a qualitative assessment such as one indicating that model
assumptions or on-top adjustments are “conservative.”
This is because such an assessment does not provide sufficient
support for a quantitative assumption or adjustment. Therefore,
organizations should consider providing sufficient documentation to
support significant modelling assumptions or on-top adjustments,
whether they are “conservative” or not. Included in
this documentation might be justification for the on-top
adjustment, articulation of the effect of the adjustment, and a
statement on how long it will be applied. These adjustments also
should be subjected to effective challenge.

Lastly, the recurrent use of on-top adjustments by regulated
entities requires effective management and oversight and can be an
indicator of an insufficient model or process. The supplemental
Guidance indicates that such continual use of these adjustments
should trigger a proper review in order to determine if the use is
recurrent or simply temporary. Importantly, if an adjustment is
deemed to be recurrent, the model or forecast process may need to
be updated. Further, when updating, a process should be put into
place that incorporates full engagement and feedback from relevant
parties in order to secure effective updates.

Model Assumptions – The
incorporation of modelling assumptions should generally be
implemented in a consistent manner. The FHFA will permit some
inconsistency when certain circumstances arise where models and
assumptions simply cannot be used consistently. According to the
Advisory Bulletin, such an exception would be allowable when, for
example, accounting rules prescribe a specific use and, as a
result, regulated entities require a process to address that use
and evaluate and assess the effect of the inconsistency. The FHFA
notes that these occurrences of inconsistency need to be
appropriately documented.

CONCLUSION

The FHFA’s supplemental Guidance helps to clarify and
further outline supervisory expectations for regulated entities
when using model-related technologies. Overall, the Advisory
Bulletin suggests that close monitoring of internal model processes
and controls will allow the regulated entities an opportunity to
improve their practices and better manage risk. Importantly, this
Guidance is limited to model risk, which is a specific subset of
operational risk.

The supplemental Guidance represents a growing modernized
approach to the increasingly sophisticated integration of
burgeoning technology in the mortgage and banking industries.
Although the Advisory Bulletin only applies specifically to the
entities regulated by the FHFA, other participants in the mortgage
and banking industries may be interested in incorporating its
principles into their model risk management practices.

Additional AuthorBrandon A. Dennis

Footnotes

1. FHFA, AB 2022-03: Supplemental Guidance
to Advisory Bulletin 2013-07 – Model Risk Management
Guidance
 (Dec. 21, 2022), https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Model-Risk-Management-Guidance.aspx.

2. The Advisory Bulletin acknowledges that the
Office of Finance is not a “regulated entity” as the
term is defined in the Federal Housing Enterprises Financial Safety
and Soundness Act (12 U.S.C. 4502(20)) but indicates that the term
“regulated entities” as used in the Advisory Bulletin
should be interpreted to include the Office of Finance.

3. FHFA, AB 2013-07: Model Risk Management
Guidance
 (Nov. 20, 2013) https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-07-Model-Risk-Management-Guidance.aspx.

Visit us at
mayerbrown.com

Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both
limited liability partnerships established in Illinois USA; Mayer
Brown International LLP, a limited liability partnership
incorporated in England and Wales (authorized and regulated by the
Solicitors Regulation Authority and registered in England and Wales
number OC 303359); Mayer Brown, a SELAS established in France;
Mayer Brown JSM, a Hong Kong partnership and its associated
entities in Asia; and Tauil & Chequer Advogados, a Brazilian
law partnership with which Mayer Brown is associated. “Mayer
Brown” and the Mayer Brown logo are the trademarks of the
Mayer Brown Practices in their respective
jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights
reserved.

This
Mayer Brown
article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s