AGENCY:

Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), and Financial Crimes Enforcement Network (FinCEN).^[1]

ACTION:

Notice and request for information and comment.

SUMMARY:

The OCC, Board, FDIC, NCUA, and FinCEN (collectively, the agencies), seek information and comment from interested parties on the extent to which the principles discussed in the interagency Supervisory Guidance on Model Risk Management (referred to as the “model risk management guidance,” or MRMG) support compliance by banks with Bank Secrecy Act/anti-money laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) requirements. The agencies seek this information to enhance their understanding of bank practices in these areas and determine whether additional explanation or clarification may increase transparency, effectiveness, or efficiency. The OCC, Board, and FDIC, in consultation with NCUA and FinCEN, are concurrently issuing a statement to clarify that the risk management principles discussed in the MRMG are appropriate considerations in the context of the BSA/AML statutory and regulatory requirements.

DATES:

Comments must be received by June 11, 2021.

ADDRESSES:

Interested parties are invited to submit written comments to:

OCC: Commenters are encouraged to submit comments through the Federal eRulemaking Portal. Please use the title “Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance with Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements” to facilitate the organization and distribution of the comments. You may submit comments by any of the following methods:

• Federal eRulemaking Portal—Regulations.gov: Go to https://regulations.gov/​. Enter “Docket ID OCC-2020-0047” in the Search Box and click “Search.” Public comments can be submitted via the “Comment” box below the displayed document information or by clicking on the document title and then clicking the “Comment” box on the top-left side of the screen. For help with submitting effective comments please click on “Commenter's Checklist.” For assistance with the Regulations.gov site, please call (877) 378-5457 (toll free) or (703) 454-9859 Monday-Friday, 9 a.m.-5 p.m. ET or email regulations@erulemakinghelpdesk.com.
• Mail: Chief Counsel's Office, Attention: Comment Processing, Office of the Comptroller of the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
• Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, Washington, DC 20219.

Instructions: You must include “OCC” as the agency name and “Docket ID OCC-2020-0047” in your comment. In general, the OCC will enter all comments received into the docket and publish the comments on the Regulations.gov website without change, including any business or personal information provided such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

You may review comments and other related materials that pertain to this action by the following method:

• Viewing Comments Electronically—Regulations.gov: Go to https://regulations.gov/​. Enter “Docket ID OCC-2020-0047” in the Search Box and click “Search.” Click on the “Documents” tab and then the document's title. After clicking the document's title, click the “Browse Comments” tab. Comments can be viewed and filtered by clicking on the “Sort By” drop-down on the right side of the screen or the “Refine Results” options on the left side of the screen. Supporting materials can be viewed by clicking on the “Documents” tab and filtered by clicking on the “Sort By” drop-down on the right side of the screen or the “Refine Documents Results” options on the left side of the screen.” For assistance with the Regulations.gov site, please call (877) 378-5457 (toll free) or (703) 454-9859 Monday-Friday, 9 a.m.-5 p.m. ET or email regulations@erulemakinghelpdesk.com.

The docket may be viewed after the close of the comment period in the same manner as during the comment period.

Board: You may submit comments, identified by Docket No. OP-1744 by any of the following methods:

• Agency Website: http://www.federalreserve.gov. Follow the instructions for submitting comments at http://www.federalreserve.gov/​generalinfo/​foia/​ProposedRegs.cfm.
• Email: regs.comments@federalreserve.gov. Include the docket number in the subject line of the message.
• Fax: (202) 452-3819 or (202) 452-3102.
• Mail: Ann Misback, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue NW, Washington, DC 20551.
• All public comments will be made available on the Board's website at http://www.federalreserve.gov/​generalinfo/​foia/​ProposedRegs.cfm as submitted, unless modified for technical reasons or to remove personally identifiable information at the commenter's request. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper in Room 146, 1709 New York Avenue NW, Washington, DC 20006, between 9:00 a.m. and 5:00 p.m. on weekdays.

FDIC: You may submit comments on the request for information and Start Printed Page 18979comment using any of the following methods:

• Agency Website: https://www.fdic.gov/​regulations/​laws/​federal/. Follow the instructions for submitting comments on the agency's website.
• Email: Comments@fdic.gov. Include RIN 3064-ZA23 in the subject line of the message.
• Mail: James P. Sheesley, Assistant Executive Secretary, Attention: Comments—RIN 3064-ZA23, Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429.
• Hand Delivery/Courier: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street NW building (located on F Street) on business days between 7:00 a.m. and 5:00 p.m.
• Public Inspection: All public comments received, including any personal information provided, will be posted generally without change to https://www.fdic.gov/​regulations/​laws/​federal/​.

NCUA: You may submit comments to the NCUA, Docket No. NCUA-2021-0007, by any of the methods set forth below. Commenters are encouraged to submit comments through the Federal eRulemaking Portal, if possible. Please use the title “Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance with Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements” to facilitate the organization and distribution of the comments. (Please send comments by one method only):

• Federal eRulemaking Portal— www.regulations.gov. Follow the instructions for submitting comments.
• Fax: (703) 518-6319.
• Mail: Address to Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428.

In general, the NCUA will enter all comments received into the docket and publish the comments on the Regulations.gov website without change, including any business or personal information that you provide such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

You may review comments and other related materials that pertain to this Request for Information and comment by any of the following methods:

• Viewing Comments Electronically: You may view all public comments on the Federal eRulemaking Portal at http://www.regulations.gov as submitted, except for those NCUA cannot post for technical reasons.
• Due to social distancing measures in effect, the usual opportunity to inspect paper copies of comments in the NCUA's law library is not currently available. After social distancing measures are relaxed, visitors may make an appointment to review paper copies by calling (703) 518-6540 or emailing OGCMail@ncua.gov.

FinCEN: Comments may be submitted by any of the following methods:

• Federal E-rulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Refer to Docket Number FINCEN-2021-0004.
• Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-2021-0004.

Please submit comments by one method only. Comments submitted in response to this Request for Information and Comment will become a matter of public record. Therefore, you should submit only information that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT:

OCC: James Vivenzio, BSA/AML Policy Director, (202) 649-5470; Jina Cheon, Counsel; or Henry Barkhausen, Counsel, Chief Counsel's Office, (202) 649-5490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219

Board: Suzanne Williams, Deputy Associate Director, Specialized Policy; Koko Ives, Manager, BSA/AML Risk, (202) 973-6163; Lee Davis, Lead Financial Institution Policy Analyst, (202) 912-4350, Division of Supervision and Regulation; Jason Gonzalez, Assistant General Counsel, (202) 452-3275; Bernard Kim, Senior Counsel, (202) 452-3083, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551.

FDIC: Lisa Arquette, Associate Director, (202) 898-3673, larquette@fdic.gov, Division of Risk Management Supervision; Jennifer Maree, Counsel, (202) 898-6543, jemaree@fdic.gov, Legal Division.

NCUA: Timothy Segerson, Deputy Director; Andrew Bludorn, Bank Secrecy Act Officer, Office of Examination & Insurance, or Ian Marenna, Associate General Counsel; Chrisanthy Loizos, Senior Trial Attorney, Office of General Counsel, at 1775 Duke Street, Alexandria, VA 22314 or telephone: (703) 518-6300 or (703) 518-6540.

FinCEN: The FinCEN Regulatory Support Section at 1-800-767-2825 or electronically at frc@fincen.gov.

SUPPLEMENTARY INFORMATION:

I. Background

The sound risk management principles discussed in the MRMG ^[2] are important considerations for the development and management of systems used by banks ^[3] to assist in complying with the requirements of the BSA/AML laws and regulations. Whether a bank characterizes a BSA/AML system ^[4] (or portions of that system) as a model, a tool, or an application, risk management of these systems should be consistent with safety and soundness principles,^[5] and the system should promote compliance with applicable laws and regulations. The MRMG is premised upon sound risk management and governance principles, several of which are referenced in that guidance, such as adequate governance, development, documentation, testing, performance monitoring, validation, and effective challenge.

Stakeholders within the banking industry have questioned how the risk management principles described in the MRMG relate to systems or models used to comply with BSA/AML laws and regulations. The OCC, Board, and FDIC, in consultation with NCUA and FinCEN, are concurrently issuing a statement with this Request for Information (RFI) to clarify that Start Printed Page 18980regardless of how a BSA/AML system is characterized, sound risk management is important, and banks may use the principles discussed in the MRMG to establish, implement, and maintain their risk management framework.

In this RFI, the agencies seek comments and information from interested parties on the extent to which the principles discussed in the MRMG support compliance by banks with BSA/AML laws and regulations. This RFI also seeks feedback on the extent to which the MRMG principles support compliance by banks related to models and systems used in connection with OFAC requirements. The agencies seek this information to enhance their understanding of bank practices in these areas and determine whether additional explanation or clarification may increase transparency, effectiveness, or efficiency.

BSA Requirements

The BSA ^[6] is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial activity.

FinCEN, a bureau of the U.S. Department of the Treasury, is the delegated administrator of the BSA. In this capacity, FinCEN issues regulations and interpretive guidance, provides outreach to regulated industries, supports examinations, and pursues civil enforcement actions when warranted. FinCEN relies on the Board, FDIC, NCUA and OCC (the “federal banking agencies”) to examine banks ^[7] within their respective jurisdictions for compliance with the BSA.

The federal banking agencies are responsible for the oversight of the various banking entities operating in the United States, including U.S. branches and agencies of foreign banks. The federal banking agencies' regulations require each bank under their supervision to establish and maintain a BSA compliance program, as does the BSA itself.^[8] At a minimum, the BSA/AML compliance program must include:

• Internal controls to assure ongoing compliance;
• Independent testing for compliance;
• Designation of an individual or individuals, also referred to as the BSA/AML compliance officer(s), responsible for coordinating and monitoring day-to-day compliance; and
• Training for appropriate personnel.

A bank also has requirements related to suspicious activity reporting,^[9] customer identification,^[10] customer due diligence, and beneficial ownership.^[11] BSA/AML systems are often used to assist the bank in meeting these requirements.

Office of Foreign Assets Control Requirements

OFAC is an office of the U.S. Department of the Treasury that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. OFAC acts under the President's wartime and national emergency powers, as well as under authority granted by specific legislation, to impose controls on transactions and freeze assets under U.S. jurisdiction.

All U.S. persons, including U.S. banks, bank holding companies, and nonbank subsidiaries, must comply with OFAC's regulations. OFAC-issued regulations apply not only to U.S. banks but also to their foreign branches and overseas offices and often to subsidiaries. OFAC encourages banks to take a risk-based approach to designing and implementing an OFAC compliance program.^[12] In general, the sanctions programs that OFAC administers require banks to do the following:

• Block accounts and other property of specified countries, entities, and individuals.
• Prohibit or reject unlicensed trade and financial transactions with specified countries, entities, and individuals.
• Report blocked property and rejected transactions to OFAC.

Model Risk Management Guidance

On April 4, 2011, the Board and the OCC issued guidance for banks subject to their supervision on effective model risk management (MRM). The FDIC subsequently adopted this guidance in 2017.

Consistent with the federal banking agencies' support of safe and sound banking principles, the MRMG lays out principles for sound MRM in three key areas: (1) Model development, implementation, and use; (2) model validation; and (3) governance, policies, and controls. The guidance describes different MRM responsibilities for different parties within a bank, based on their roles, including those building the models, those independently reviewing the models, and those providing a governance framework for MRM.

Concurrently with the publication of this RFI, the OCC, Board, and FDIC, in consultation with NCUA and FinCEN, have published an “Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance.” The MRMG principles provide flexibility for banks in developing, implementing, and updating models. Banks may use some or all of the principles in their risk management processes to support meeting the regulatory requirements of an effective BSA/AML compliance program. The questions posed in this RFI complement the statement and the agencies ask commenters to consider the two documents in conjunction with each other.

II. Request for Information Overview

This RFI seeks information and comment on any aspects of the relationship between BSA/AML and OFAC compliance and the principles conveyed in the MRMG, including how those principles may support compliance and any differences in perceptions regarding their application. This RFI also asks for responses to specific questions outlined below.

Suggested Topics for Commenters

To allow the agencies to evaluate suggestions more effectively, the agencies request that, where possible, comments include:

• Specific discussion of any suggested changes to guidance or regulation, including, in as much detail as possible, the nature of the requested change and supporting data or other information on impacts, costs, and benefits.
• Specific identification of any aspects of the agencies' approach to Start Printed Page 18981BSA/AML and OFAC compliance as it relates to MRMG that are working well and those that could be improved, including, in as much detail as possible, supporting data or other information on impacts, costs, and benefits.

The following sections list areas of interest on which commenters may want to focus. This list is meant to assist in the formulation of comments and is not intended to restrict what may be addressed by the public. Commenters may also address matters related to BSA/AML or OFAC compliance and the principles conveyed in the MRMG that do not appear in the list below. The agencies request that, in addressing these questions, commenters identify issues in as much detail as possible and provide specific examples where appropriate. Commenters are requested to comment on some or all of the questions below and are encouraged to indicate in which area your comments are focused. The agencies request that commenters providing suggestions note their highest priorities, where possible, along with an explanation of how or why certain suggestions have been prioritized.

The term “BSA/AML and OFAC models” is used in the questions below to describe BSA/AML or OFAC compliance systems that a bank considers models, so its interpretation could vary from bank to bank. When providing feedback, please note that the MRMG principles provide flexibility for banks in developing, implementing, and updating models. The extent and nature of model risk varies across models and banks, and a bank's risk management framework is most appropriately tailored when it is commensurate with the nature and materiality of the risk. The agencies are interested in gathering information about industry practices and welcome responses regarding individual banks, as well as common industry practices.

1. What types of systems do banks employ to support BSA/AML and OFAC compliance that they consider models (e.g., automated account/transaction monitoring, interdiction, customer risk rating/scoring)? What types of methodologies or technologies do these systems use (e.g., judgment-based, artificial intelligence or machine learning, or statistical methodologies or technologies)?

2. To what extent are banks' BSA/AML and OFAC models subject to separate internal oversight for MRM in addition to the normal BSA/AML or OFAC compliance requirements? What additional procedures do banks have for BSA and OFAC models beyond BSA/AML or OFAC compliance requirements?

3. To what extent do banks have policies and procedures, either specific to BSA/AML and OFAC models or applicable to models generally, governing the validation of BSA/AML and OFAC models, including, but not limited to, the validation frequency, minimum standards, and areas of coverage (i.e., which scenarios, thresholds, or components of the model to cover)?

4. To what extent are the risk management principles discussed in the MRMG appropriate for BSA/AML and OFAC models? Please explain why certain principles may be more or less appropriate for bank operations of varying size and complexity? Are there other principles not discussed in the MRMG that would be appropriate for banks to consider?

5. Some bankers have reported that banks' application of MRM to BSA/AML and OFAC models has resulted in substantial delays in implementing, updating, and improving systems. Please describe any factors that might create such delays, including specific examples.^[13]

6. Some bankers have reported that banks' application of MRM to BSA/AML and OFAC models has been an impediment to developing and implementing more innovative and effective approaches to BSA/AML and OFAC compliance. Do banks consider MRM relative to BSA/AML an impediment to innovation? If yes, please describe the factors that create the impediments, including specific examples.^[14]

7. To what extent do banks' MRM frameworks include testing and validation processes that are more extensive than reviews conducted to meet the independent testing requirement of the BSA? Please explain.

8. To what extent do banks use an outside party to perform validations of BSA/AML and OFAC compliance systems? Does the validation only include BSA/AML and OFAC models, as opposed to other types of models used by the banks? Why are outside parties used to perform validation? ^[15]

9. To what extent do banks employ internally developed BSA/AML or OFAC compliance systems, third-party systems, or both? What challenges arise with such systems considering the principles discussed in the MRMG? Are there challenges that are unique to any one of these systems?

10. To what extent do banks' MRM frameworks apply to all models, including BSA/AML and OFAC models? Why or why not?

11. Specific to suspicious activity monitoring systems, the agencies are gathering information about industry practices. The agencies welcome responses to the following, regarding individual bank and common industry practices.

a. Suspicious activity monitoring system validation:

i. To what extent do banks validate such systems before implementation?

ii. Are banks able to implement changes without fully validating such systems? If so, please describe the circumstances.

iii. How frequently do banks validate after implementation?

iv. To what extent do banks validate after implementing changes to existing systems (e.g., new scenarios, threshold changes, or adding/changing customer peers or segments)? Please describe the circumstances in which you think this would be appropriate.

v. How do banks validate such systems?

vi. What, if any, compensating controls do banks use if they have not had an opportunity to validate such systems?

b. Suspicious activity monitoring system benchmarking: What, if any, external or internal data or models do banks use to compare their suspicious activity systems' inputs and outputs for purposes of benchmarking?

c. Suspicious activity monitoring system back-testing: How do banks attempt to compare outcomes from suspicious activity systems with actual outcomes, given that law enforcement outcomes are often unknown?

d. Suspicious activity monitoring system sensitivity analysis: How do banks check the impact of changes to inputs, assumptions, or other factors in their systems to ensure they fall within an expected range?

12. To what extent do banks calibrate the scope and frequency of MRM testing and validation for BSA/AML and OFAC Start Printed Page 18982models based on their materiality? How do they do so?

Footnotes