The author

Steve Finlay

Lead Data Science Consultant

View profile
News & Views / Model Risk Management in an AI-Driven World [SS1/23]
29 May 2024

Model Risk Management in an AI-Driven World [SS1/23]

Earlier this year, the UK Government wrote to regulators, including the ICO, FCA and the Bank of England (incorporating the PRA) asking them to publish details outlining their strategic approach to Artificial Intelligence (AI).

In its response, the Bank referenced a wide range of regulation to evidence its capability to supervise the use of AI in a rapidly evolving environment. However, SS1/23 was the star of the show when it came to the bank's supervisory approach across at least two of five areas highlighted by the government . This makes sense, given that practically all AI-driven applications are based on mathematical models of one type or another. Hence, AI-related risk and model-related risk are invariably linked.

SS1/23 came into effect on May 17th this year. It covers all models used by firms, and by all - we mean all.

The PRA has clarified SS1/23’s scope as covering a firm’s entire operations, rather than just credit and market risk, which for many firms has been the focus of their model risk management in the past. If HR use models to screen job applicants, or if AI-driven chatbots are employed to interact with customers, or generative AI creates personalised advertising content - then these are all within scope.

Is SS1/23 up to the task of supporting such a broad range of models?

The core strength of SS1/23 is it’s principle-based, technology agnostic approach. This makes it as applicable to the most complex large language models imaginable as it is to the simplest rule-based ones. SS1/23 take a top-down approach, focusing on potential risks and outcomes rather than the specific application areas, technological underpinnings or method of operation.

It might then, be safe to assume that one can rest easy, safe in the knowledge that adherence to SS1/23 supports a comprehensive risk management framework that mitigates the dangers AI-based tools present. However, there is one obvious gap, which receives only a passing mention in the Bank’s response to the government.

SS1/23 only applies to firms with IRB permissions for calculating capital requirements. Of more than 1,300 firms regulated by the PRA, only 23 have such permissions. Admittedly, these firms include the UK’s largest banks and building societies, thus covering most UK banking operations. However, as we’ve seen with Google, Amazon and Tesla, new entrants and market disruptors can start small and grow rapidly. There is no regulatory requirement for a newly established FinTech to apply for IRB permissions and there are now fewer incentives for them to do so given the forthcoming implementation of the Basel 3.1 standard. Consequently, the pool of IRB approved firms to which SS1/23 applies is unlikely to materially increase any time soon.

How is the Bank going to ensure that AI-appropriate model risk management principles are applied to the rest of its flock?

Based on the PRA’s previous comments , a pretty sound bet is for the risk management principles described in SS1/23 to be rolled out across the board in the near future. We expect this will be in a simplified form, applied proportionally based on a firm’s size and complexity but we envisage two key impacts:

  1. All organisations can expect to increase the level of resources applied to model risk management in the future.
  2. To successfully embed model risk management principles, firms will need to consider their cultural approach to model risk. Model risk should be front and centre, clearly visible to the board and allocated a similar level of scrutiny and oversight as other areas of risk.

The table below outlines how we see this playing out in terms of actions firms will need to undertake to manage AI-based risks (and model risk in general).

SS1/23 Principle

Actions Required

Principle 1 – Model identification and model risk classification
  • Factoring in the complexity and transparency aspects of AI models into model tiering, meaning that the materiality assessment of a firm’s model landscape captures these risks.
  • Identifying how models interact with other business systems and processes as well as other models, to be able to accurately assess the holistic risk that the model presents.

Principle 2 – Governance
  • Ensuring senior management understands the additional risks associated with complex AI-based models.
  • Model risk is viewed as a risk category in its own right but is also something that can and does interact with other risk types.
  • Reviewing risk appetite statements, ensuring model risk is given equal prominence to other risks and are aligned with firms’ wider risk appetite.
  • Revising governance structures to ensure that model risk management (MRM) receives sufficient attention from senior executives.
  • Identifying suitably qualified individual(s) responsible for MRM with a direct reporting line to the CRO.
  • Ensuring there is business-wide understanding of model risk including the inherent uncertainty in model outcomes. This uncertainty should be a standard discussion item whenever model outputs are reviewed.
  • Executives should be able to articulate the level of uncertainty and how they have factored it into decisions that have been made or influenced by the model.

Principle 3 – Model development, implementation, and use
  • Providing guidelines for developers when building AI models, specifying how and where it is appropriate to use complex techniques.
  • Establishing robust methods to establish the validity and providence of data used to build and implement models using unstructured data and/or data supplied by a third party.
  • Reviewing and updating polices to support appropriate regulatory and legally compliant business use of models.

Principle 4 – Independent model validation
  • Ensuring guidelines for 2nd line MRM functions are appropriate for all types of models across all areas of the business to allow models to be fully validated.
  • Defining specific requirements for how and when AI models should be monitored and how the results of this should be reported through governance.
  • Developing suitable approaches for the validation of unstructured data sources and third-party data.

Principle 5 – Model risk mitigants
  • Developing policies for risk mitigation action plans, which must be in place for when model performance becomes sub-optimal or where model behaviour varies from expectation.

In short, SS1/23’s model risk management principles may not yet apply to most PRA regulated firms. However, it’s only a matter of time before they do. Therefore, forward thinking firms should begin planning now for the inevitable changes that are expected in the MRM regulatory landscape.

 

Jaywing specialises in the development of AI-powered models and have 10+ years of unrivalled experience in helping the UK’s leading banks and challenger firms with their model risk management. We make compliance a certainty.

Discover how we can help you meet and exceed model risk requirements.

08 November 2024

Jaywing clinches 2024 Credit Connect ‘Data & Analytics Solution’ award

Jaywing wins 2024 Credit Connect Award for cutting data costs, boosting loan sales, and enhancing approvals with advanced credit risk analytics

Nevan McBride
07 November 2024

14 lessons in predictive modelling to strengthen credit risk assessments

Read 14 lessons in predictive modelling to boost credit risk assessments, improve stability, and gain a competitive edge with advanced machine learning insights

Nick Sime
05 November 2024

Beyond traditional safeguards: Addressing overlooked fraud vulnerabilities

Learn about critical fraud vulnerabilities in operations, human behaviour, technology and data silos - plus practical steps to protect your organisation.

Ben Archer
31 October 2024

Basel 3.1 IRB update: Analysing the PRA's PS9/24 and its impact on IRB firms

Learn key changes in the PRA's PS9/24 ruleset and how UK banks can prepare for Basel 3.1 compliance before the 2026 deadline.

Paul Monaghan
31 October 2024

New guide: Uncovering hidden vulnerabilities: The key to robust fraud prevention

Our new eBook reveals where fraudsters are most likely to strike and what you can do to stay ahead.

31 October 2024

DCA redress looms: How motor finance firms should prepare after a landmark court ruling

Prepare for potential DCA redress. Here are essential steps motor finance firms should take ahead of the FCA’s 2025 ruling to protect customers and reputation.

Nevan McBride
13 October 2024

The art of data storytelling: turn insights into action

In this post, we discuss the art of data storytelling. We'll look at how to choose the right metrics and create narratives that align with business objectives so that you can take meaningful action.

Karen Snape
27 September 2024

Jaywing wins 2024 DataIQ award for breakthrough AI in fraud prevention

Jaywing’s commitment to innovation in AI-driven fraud prevention has been recognised (again!) this time with a prestigious win at the 2024 DataIQ Awards.

Nevan McBride
16 September 2024

Basel 3.1: Analysing the PRA's PS9/24 ruleset and its impact on banks

Analysis of the PRA's PS9/24 on Basel 3.1 implementation in UK banking. Key changes, impacts, and next steps for firms to prepare for the 2026 deadline.

Carl Ireland