The author

Steve Finlay

Lead Data Science Consultant

View profile
News & Views / Model Risk Management in an AI-Driven World [SS1/23]
29 May 2024

Model Risk Management in an AI-Driven World [SS1/23]

Earlier this year, the UK Government wrote to regulators, including the ICO, FCA and the Bank of England (incorporating the PRA) asking them to publish details outlining their strategic approach to Artificial Intelligence (AI).

In its response, the Bank referenced a wide range of regulation to evidence its capability to supervise the use of AI in a rapidly evolving environment. However, SS1/23 was the star of the show when it came to the bank's supervisory approach across at least two of five areas highlighted by the government . This makes sense, given that practically all AI-driven applications are based on mathematical models of one type or another. Hence, AI-related risk and model-related risk are invariably linked.

SS1/23 came into effect on May 17th this year. It covers all models used by firms, and by all - we mean all.

The PRA has clarified SS1/23’s scope as covering a firm’s entire operations, rather than just credit and market risk, which for many firms has been the focus of their model risk management in the past. If HR use models to screen job applicants, or if AI-driven chatbots are employed to interact with customers, or generative AI creates personalised advertising content - then these are all within scope.

Is SS1/23 up to the task of supporting such a broad range of models?

The core strength of SS1/23 is it’s principle-based, technology agnostic approach. This makes it as applicable to the most complex large language models imaginable as it is to the simplest rule-based ones. SS1/23 take a top-down approach, focusing on potential risks and outcomes rather than the specific application areas, technological underpinnings or method of operation.

It might then, be safe to assume that one can rest easy, safe in the knowledge that adherence to SS1/23 supports a comprehensive risk management framework that mitigates the dangers AI-based tools present. However, there is one obvious gap, which receives only a passing mention in the Bank’s response to the government.

SS1/23 only applies to firms with IRB permissions for calculating capital requirements. Of more than 1,300 firms regulated by the PRA, only 23 have such permissions. Admittedly, these firms include the UK’s largest banks and building societies, thus covering most UK banking operations. However, as we’ve seen with Google, Amazon and Tesla, new entrants and market disruptors can start small and grow rapidly. There is no regulatory requirement for a newly established FinTech to apply for IRB permissions and there are now fewer incentives for them to do so given the forthcoming implementation of the Basel 3.1 standard. Consequently, the pool of IRB approved firms to which SS1/23 applies is unlikely to materially increase any time soon.

How is the Bank going to ensure that AI-appropriate model risk management principles are applied to the rest of its flock?

Based on the PRA’s previous comments , a pretty sound bet is for the risk management principles described in SS1/23 to be rolled out across the board in the near future. We expect this will be in a simplified form, applied proportionally based on a firm’s size and complexity but we envisage two key impacts:

  1. All organisations can expect to increase the level of resources applied to model risk management in the future.
  2. To successfully embed model risk management principles, firms will need to consider their cultural approach to model risk. Model risk should be front and centre, clearly visible to the board and allocated a similar level of scrutiny and oversight as other areas of risk.

The table below outlines how we see this playing out in terms of actions firms will need to undertake to manage AI-based risks (and model risk in general).

SS1/23 Principle

Actions Required

Principle 1 – Model identification and model risk classification
  • Factoring in the complexity and transparency aspects of AI models into model tiering, meaning that the materiality assessment of a firm’s model landscape captures these risks.
  • Identifying how models interact with other business systems and processes as well as other models, to be able to accurately assess the holistic risk that the model presents.

Principle 2 – Governance
  • Ensuring senior management understands the additional risks associated with complex AI-based models.
  • Model risk is viewed as a risk category in its own right but is also something that can and does interact with other risk types.
  • Reviewing risk appetite statements, ensuring model risk is given equal prominence to other risks and are aligned with firms’ wider risk appetite.
  • Revising governance structures to ensure that model risk management (MRM) receives sufficient attention from senior executives.
  • Identifying suitably qualified individual(s) responsible for MRM with a direct reporting line to the CRO.
  • Ensuring there is business-wide understanding of model risk including the inherent uncertainty in model outcomes. This uncertainty should be a standard discussion item whenever model outputs are reviewed.
  • Executives should be able to articulate the level of uncertainty and how they have factored it into decisions that have been made or influenced by the model.

Principle 3 – Model development, implementation, and use
  • Providing guidelines for developers when building AI models, specifying how and where it is appropriate to use complex techniques.
  • Establishing robust methods to establish the validity and providence of data used to build and implement models using unstructured data and/or data supplied by a third party.
  • Reviewing and updating polices to support appropriate regulatory and legally compliant business use of models.

Principle 4 – Independent model validation
  • Ensuring guidelines for 2nd line MRM functions are appropriate for all types of models across all areas of the business to allow models to be fully validated.
  • Defining specific requirements for how and when AI models should be monitored and how the results of this should be reported through governance.
  • Developing suitable approaches for the validation of unstructured data sources and third-party data.

Principle 5 – Model risk mitigants
  • Developing policies for risk mitigation action plans, which must be in place for when model performance becomes sub-optimal or where model behaviour varies from expectation.

In short, SS1/23’s model risk management principles may not yet apply to most PRA regulated firms. However, it’s only a matter of time before they do. Therefore, forward thinking firms should begin planning now for the inevitable changes that are expected in the MRM regulatory landscape.

 

Jaywing specialises in the development of AI-powered models and have 10+ years of unrivalled experience in helping the UK’s leading banks and challenger firms with their model risk management. We make compliance a certainty.

Discover how we can help you meet and exceed model risk requirements.

29 August 2024

How PSPs can prepare for APP fraud reimbursement regulations

Explore upcoming APP fraud reimbursement regulations for PSPs, evolving fraudster tactics, and essential steps to protect vulnerable customers and ensure compliance.

Ben Archer
26 August 2024

AI vs traditional risk modelling: A comparative analysis

Explore how AI is transforming risk management. Compare traditional vs AI-based models and learn key implementation strategies for financial institutions.

Nick Sime
15 August 2024

New FCA PS24/3 requirements: what you need to know and how to prepare

Learn about FCA's new PS24/3 requirements for consumer credit firms. Discover key challenges, preparation steps, and how Jaywing can help ensure compliance.

David Moody
08 August 2024

PRA's latest guidance on IRB: Key takeaways for wholesale exposures

Explore the PRA's latest IRB guidance from the IRB wholesale roundtable. Unpack key takeaways on risk differentiation, calibration, and model complexity to enhance your regulatory compliance.

Lydia Edwards
02 July 2024

Reflections on Credit Week 2024

Jaywing MD, Ben O'Brien, shares his highlights from the recent Credit Week event, held at Celtic Manor.

Ben O'Brien
05 June 2024

Strengthening fraud defences across banking, telecoms and retail

It's time for telecoms, retailers, banks, regulators, and law enforcement to unite in the fight against fraud.

Ben Archer
29 May 2024

Model Risk Management in an AI-Driven World [SS1/23]

Nearly all AI-driven applications are based on a type of mathematic model - so it's unsurprising that AI-related risk and model-related risk are invariably linked. Examining the Bank of England's supervisory statement on model risk management, Steve Finlay unpacks how firms, in an AI-driven world, can respond to the five principles outlined.

Steve Finlay
22 May 2024

Diving Into The Fraudscape: Insights from CIFAS

CIFAS’ ‘Fraudscape’ report of 2024 sheds light on the persistent and evolving threats facing the fraud prevention community. Ben Archer unpacks some of their key insights – exploring how leveraging education, advanced technologies and collaborative efforts across industries and government bodies can bolster prevention initiatives.

Ben Archer
20 May 2024

Milestones: Celebrating 25 years of Nick Sime at Jaywing

We sat down with Jaywing’s Director of Fraud and Credit Risk Modelling, Nick Sime, to celebrate his 25 years with Jaywing - reflecting on his journey, how this landscape has transformed over the years, and some of his proudest moments.