Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements, 18978-18982 [2021-07428]

Agencies

• FEDERAL DEPOSIT INSURANCE CORPORATION
• National Credit Union Administration
• Office of the Comptroller of the Currency
• DEPARTMENT OF THE TREASURY
• Financial Crimes Enforcement Network
• Federal Reserve Board

[Federal Register Volume 86, Number 68 (Monday, April 12, 2021)]
[Notices]
[Pages 18978-18982]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-07428]



[[Page 18978]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

[Docket No. OCC-2020-0047]

FEDERAL RESERVE BOARD

[Docket No. OP-1744]

FEDERAL DEPOSIT INSURANCE CORPORATION

RIN 3064-ZA23

NATIONAL CREDIT UNION ADMINISTRATION

[Docket No. NCUA-2021-0007]
RIN 3133-AF33

DEPARTMENT OF THE TREASURY

Financial Crimes Enforcement Network

[Docket No. FINCEN-2021-0004]


Request for Information and Comment: Extent to Which Model Risk 
Management Principles Support Compliance With Bank Secrecy Act/Anti-
Money Laundering and Office of Foreign Assets Control Requirements

AGENCY: Office of the Comptroller of the Currency (OCC), Board of 
Governors of the Federal Reserve System (Board), Federal Deposit 
Insurance Corporation (FDIC), National Credit Union Administration 
(NCUA), and Financial Crimes Enforcement Network (FinCEN).\1\
---------------------------------------------------------------------------

    \1\ This Request for Information primarily focuses on the 
institutions supervised by the Board, FDIC, NCUA, and OCC. FinCEN's 
BSA regulations apply to a broader group of financial institutions 
and any information submitted by financial institutions other than 
banks will be collected on behalf of FinCEN.

ACTION: Notice and request for information and comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, NCUA, and FinCEN (collectively, the 
agencies), seek information and comment from interested parties on the 
extent to which the principles discussed in the interagency Supervisory 
Guidance on Model Risk Management (referred to as the ``model risk 
management guidance,'' or MRMG) support compliance by banks with Bank 
Secrecy Act/anti-money laundering (BSA/AML) and Office of Foreign 
Assets Control (OFAC) requirements. The agencies seek this information 
to enhance their understanding of bank practices in these areas and 
determine whether additional explanation or clarification may increase 
transparency, effectiveness, or efficiency. The OCC, Board, and FDIC, 
in consultation with NCUA and FinCEN, are concurrently issuing a 
statement to clarify that the risk management principles discussed in 
the MRMG are appropriate considerations in the context of the BSA/AML 
statutory and regulatory requirements.

DATES: Comments must be received by June 11, 2021.

ADDRESSES: Interested parties are invited to submit written comments 
to:
    OCC: Commenters are encouraged to submit comments through the 
Federal eRulemaking Portal. Please use the title ``Request for 
Information and Comment: Extent to Which Model Risk Management 
Principles Support Compliance with Bank Secrecy Act/Anti-Money 
Laundering and Office of Foreign Assets Control Requirements'' to 
facilitate the organization and distribution of the comments. You may 
submit comments by any of the following methods:
     Federal eRulemaking Portal--Regulations.gov: Go to https://regulations.gov/. Enter ``Docket ID OCC-2020-0047'' in the Search Box 
and click ``Search.'' Public comments can be submitted via the 
``Comment'' box below the displayed document information or by clicking 
on the document title and then clicking the ``Comment'' box on the top-
left side of the screen. For help with submitting effective comments 
please click on ``Commenter's Checklist.'' For assistance with the 
Regulations.gov site, please call (877) 378-5457 (toll free) or (703) 
454-9859 Monday-Friday, 9 a.m.-5 p.m. ET or email 
[email protected].
     Mail: Chief Counsel's Office, Attention: Comment 
Processing, Office of the Comptroller of the Currency, 400 7th Street 
SW, Suite 3E-218, Washington, DC 20219.
     Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, 
Washington, DC 20219.
    Instructions: You must include ``OCC'' as the agency name and 
``Docket ID OCC-2020-0047'' in your comment. In general, the OCC will 
enter all comments received into the docket and publish the comments on 
the Regulations.gov website without change, including any business or 
personal information provided such as name and address information, 
email addresses, or phone numbers. Comments received, including 
attachments and other supporting materials, are part of the public 
record and subject to public disclosure. Do not include any information 
in your comment or supporting materials that you consider confidential 
or inappropriate for public disclosure.
    You may review comments and other related materials that pertain to 
this action by the following method:
     Viewing Comments Electronically--Regulations.gov: Go to 
https://regulations.gov/. Enter ``Docket ID OCC-2020-0047'' in the 
Search Box and click ``Search.'' Click on the ``Documents'' tab and 
then the document's title. After clicking the document's title, click 
the ``Browse Comments'' tab. Comments can be viewed and filtered by 
clicking on the ``Sort By'' drop-down on the right side of the screen 
or the ``Refine Results'' options on the left side of the screen. 
Supporting materials can be viewed by clicking on the ``Documents'' tab 
and filtered by clicking on the ``Sort By'' drop-down on the right side 
of the screen or the ``Refine Documents Results'' options on the left 
side of the screen.'' For assistance with the Regulations.gov site, 
please call (877) 378-5457 (toll free) or (703) 454-9859 Monday-Friday, 
9 a.m.-5 p.m. ET or email [email protected].
    The docket may be viewed after the close of the comment period in 
the same manner as during the comment period.
    Board: You may submit comments, identified by Docket No. OP-1744 by 
any of the following methods:
     Agency Website: https://www.federalreserve.gov. Follow the 
instructions for submitting comments at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
     Email: [email protected]. Include the 
docket number in the subject line of the message.
     Fax: (202) 452-3819 or (202) 452-3102.
     Mail: Ann Misback, Secretary, Board of Governors of the 
Federal Reserve System, 20th Street and Constitution Avenue NW, 
Washington, DC 20551.
     All public comments will be made available on the Board's 
website at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, unless modified for technical reasons or 
to remove personally identifiable information at the commenter's 
request. Accordingly, your comments will not be edited to remove any 
identifying or contact information. Public comments may also be viewed 
electronically or in paper in Room 146, 1709 New York Avenue NW, 
Washington, DC 20006, between 9:00 a.m. and 5:00 p.m. on weekdays.
    FDIC: You may submit comments on the request for information and

[[Page 18979]]

comment using any of the following methods:
     Agency Website: https://www.fdic.gov/regulations/laws/federal/. Follow the instructions for submitting comments on the 
agency's website.
     Email: [email protected]. Include RIN 3064-ZA23 in the 
subject line of the message.
     Mail: James P. Sheesley, Assistant Executive Secretary, 
Attention: Comments--RIN 3064-ZA23, Federal Deposit Insurance 
Corporation, 550 17th Street NW, Washington, DC 20429.
     Hand Delivery/Courier: Comments may be hand-delivered to 
the guard station at the rear of the 550 17th Street NW building 
(located on F Street) on business days between 7:00 a.m. and 5:00 p.m.
     Public Inspection: All public comments received, including 
any personal information provided, will be posted generally without 
change to https://www.fdic.gov/regulations/laws/federal/.
    NCUA: You may submit comments to the NCUA, Docket No. NCUA-2021-
0007, by any of the methods set forth below. Commenters are encouraged 
to submit comments through the Federal eRulemaking Portal, if possible. 
Please use the title ``Request for Information and Comment: Extent to 
Which Model Risk Management Principles Support Compliance with Bank 
Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control 
Requirements'' to facilitate the organization and distribution of the 
comments. (Please send comments by one method only):
     Federal eRulemaking Portal-- www.regulations.gov. Follow 
the instructions for submitting comments.
     Fax: (703) 518-6319.
     Mail: Address to Melane Conyers-Ausbrooks, Secretary of 
the Board, National Credit Union Administration, 1775 Duke Street, 
Alexandria, VA 22314-3428.
    In general, the NCUA will enter all comments received into the 
docket and publish the comments on the Regulations.gov website without 
change, including any business or personal information that you provide 
such as name and address information, email addresses, or phone 
numbers. Comments received, including attachments and other supporting 
materials, are part of the public record and subject to public 
disclosure. Do not include any information in your comment or 
supporting materials that you consider confidential or inappropriate 
for public disclosure.
    You may review comments and other related materials that pertain to 
this Request for Information and comment by any of the following 
methods:
     Viewing Comments Electronically: You may view all public 
comments on the Federal eRulemaking Portal at https://www.regulations.gov as submitted, except for those NCUA cannot post for 
technical reasons.
     Due to social distancing measures in effect, the usual 
opportunity to inspect paper copies of comments in the NCUA's law 
library is not currently available. After social distancing measures 
are relaxed, visitors may make an appointment to review paper copies by 
calling (703) 518-6540 or emailing [email protected].
    FinCEN: Comments may be submitted by any of the following methods:
     Federal E-rulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. Refer to Docket Number 
FINCEN-2021-0004.
     Mail: Policy Division, Financial Crimes Enforcement 
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2021-0004.
    Please submit comments by one method only. Comments submitted in 
response to this Request for Information and Comment will become a 
matter of public record. Therefore, you should submit only information 
that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT:
    OCC: James Vivenzio, BSA/AML Policy Director, (202) 649-5470; Jina 
Cheon, Counsel; or Henry Barkhausen, Counsel, Chief Counsel's Office, 
(202) 649-5490, Office of the Comptroller of the Currency, 400 7th 
Street SW, Washington, DC 20219
    Board: Suzanne Williams, Deputy Associate Director, Specialized 
Policy; Koko Ives, Manager, BSA/AML Risk, (202) 973-6163; Lee Davis, 
Lead Financial Institution Policy Analyst, (202) 912-4350, Division of 
Supervision and Regulation; Jason Gonzalez, Assistant General Counsel, 
(202) 452-3275; Bernard Kim, Senior Counsel, (202) 452-3083, Legal 
Division, Board of Governors of the Federal Reserve System, 20th and C 
Streets NW, Washington, DC 20551.
    FDIC: Lisa Arquette, Associate Director, (202) 898-3673, 
[email protected], Division of Risk Management Supervision; Jennifer 
Maree, Counsel, (202) 898-6543, [email protected], Legal Division.
    NCUA: Timothy Segerson, Deputy Director; Andrew Bludorn, Bank 
Secrecy Act Officer, Office of Examination & Insurance, or Ian Marenna, 
Associate General Counsel; Chrisanthy Loizos, Senior Trial Attorney, 
Office of General Counsel, at 1775 Duke Street, Alexandria, VA 22314 or 
telephone: (703) 518-6300 or (703) 518-6540.
    FinCEN: The FinCEN Regulatory Support Section at 1-800-767-2825 or 
electronically at [email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    The sound risk management principles discussed in the MRMG \2\ are 
important considerations for the development and management of systems 
used by banks \3\ to assist in complying with the requirements of the 
BSA/AML laws and regulations. Whether a bank characterizes a BSA/AML 
system \4\ (or portions of that system) as a model, a tool, or an 
application, risk management of these systems should be consistent with 
safety and soundness principles,\5\ and the system should promote 
compliance with applicable laws and regulations. The MRMG is premised 
upon sound risk management and governance principles, several of which 
are referenced in that guidance, such as adequate governance, 
development, documentation, testing, performance monitoring, 
validation, and effective challenge.
---------------------------------------------------------------------------

    \2\ Refer to the ``Supervisory Guidance on Model Risk 
Management,'' Federal Reserve Supervision and Regulation Letter 11-
7, https://www.federalreserve.gov/supervisionreg/srletters/srletters.htm; OCC Bulletin 2011-12, https://www.occ.gov/news-issuances/bulletins/2011/bulletin-2011-12.html; and FDIC Financial 
Institution Letter-22-2017, https://www.fdic.gov/news/financial-institution-letters/2017/fil17022.html.
    \3\ The MRMG does not apply to credit unions, as it was not 
issued by the NCUA. As used in this Request for Information, 
however, the term ``bank'' includes each agent, agency, branch, or 
office within the United States of banks, credit unions, savings 
associations, and foreign banks as defined in Bank Secrecy Act 
regulations at 31 CFR 1010.100(d).
    \4\ In the BSA/AML context, the term ``system'' includes a 
bank's policies, procedures, or processes to identify, research and 
report unusual activity, typically known as suspicious activity 
monitoring and reporting systems, and are critical internal controls 
for ensuring an effective BSA/AML compliance program.
    \5\ Refer to the Interagency Guidelines Establishing Standards 
for Safety and Soundness, 12 CFR 208, Appendix D-1 (Federal 
Reserve); 12 CFR 364, Appendix A (FDIC); and 12 CFR 30, Appendix A 
(OCC).
---------------------------------------------------------------------------

    Stakeholders within the banking industry have questioned how the 
risk management principles described in the MRMG relate to systems or 
models used to comply with BSA/AML laws and regulations. The OCC, 
Board, and FDIC, in consultation with NCUA and FinCEN, are concurrently 
issuing a statement with this Request for Information (RFI) to clarify 
that

[[Page 18980]]

regardless of how a BSA/AML system is characterized, sound risk 
management is important, and banks may use the principles discussed in 
the MRMG to establish, implement, and maintain their risk management 
framework.
    In this RFI, the agencies seek comments and information from 
interested parties on the extent to which the principles discussed in 
the MRMG support compliance by banks with BSA/AML laws and regulations. 
This RFI also seeks feedback on the extent to which the MRMG principles 
support compliance by banks related to models and systems used in 
connection with OFAC requirements. The agencies seek this information 
to enhance their understanding of bank practices in these areas and 
determine whether additional explanation or clarification may increase 
transparency, effectiveness, or efficiency.

BSA Requirements

    The BSA \6\ is intended to safeguard the U.S. financial system and 
the financial institutions that make up that system from the abuses of 
financial crime, including money laundering, terrorist financing, and 
other illicit financial activity.
---------------------------------------------------------------------------

    \6\ 31 CFR 1010.100(e).
---------------------------------------------------------------------------

    FinCEN, a bureau of the U.S. Department of the Treasury, is the 
delegated administrator of the BSA. In this capacity, FinCEN issues 
regulations and interpretive guidance, provides outreach to regulated 
industries, supports examinations, and pursues civil enforcement 
actions when warranted. FinCEN relies on the Board, FDIC, NCUA and OCC 
(the ``federal banking agencies'') to examine banks \7\ within their 
respective jurisdictions for compliance with the BSA.
---------------------------------------------------------------------------

    \7\ The term ``bank'' is used here as in Bank Secrecy Act 
regulations at 31 CFR 1010.100(d).
---------------------------------------------------------------------------

    The federal banking agencies are responsible for the oversight of 
the various banking entities operating in the United States, including 
U.S. branches and agencies of foreign banks. The federal banking 
agencies' regulations require each bank under their supervision to 
establish and maintain a BSA compliance program, as does the BSA 
itself.\8\ At a minimum, the BSA/AML compliance program must include:
---------------------------------------------------------------------------

    \8\ 12 CFR 21.21 (OCC), 12 CFR 208.63, 12 CFR 211.5(m) and 12 
CFR 211.24(j) (Board); 12 CFR 326.8 (FDIC); 12 CFR 748.2(b) (NCUA). 
As set forth in 31 CFR 1020.210 (FinCEN), a bank regulated by one of 
the federal functional regulators is deemed to have satisfied 
FinCEN's AML program requirements if the bank develops and maintains 
a BSA compliance program that complies with the regulation of its 
federal functional regulator governing such programs.
---------------------------------------------------------------------------

     Internal controls to assure ongoing compliance;
     Independent testing for compliance;
     Designation of an individual or individuals, also referred 
to as the BSA/AML compliance officer(s), responsible for coordinating 
and monitoring day-to-day compliance; and
     Training for appropriate personnel.
    A bank also has requirements related to suspicious activity 
reporting,\9\ customer identification,\10\ customer due diligence, and 
beneficial ownership.\11\ BSA/AML systems are often used to assist the 
bank in meeting these requirements.
---------------------------------------------------------------------------

    \9\ 12 CFR 21.11 and 12 CFR 163.180(d) (OCC); 12 CFR 208.62, 12 
CFR 211.5(k), 12 CFR 211.24(f)), and 12 CFR 225.4(f) (Board); 12 CFR 
353 (FDIC); 12 CFR 748.1(c) (NCUA); and 31 CFR 1020.320 (FinCEN).
    \10\ 12 CFR 21.21(c)(2) (OCC); 12 CFR 208.63(b)(2), 211.5(m)(2), 
and 211.24(j)(2) (Board); 12 CFR 326.8(b)(2) (FDIC); 12 CFR 
748.2(b)(2) (NCUA); and 31 CFR 1020.220 (FinCEN).
    \11\ 31 CFR 1020.210(a)(2)(v) and 31 CFR 1010.230.
---------------------------------------------------------------------------

Office of Foreign Assets Control Requirements

    OFAC is an office of the U.S. Department of the Treasury that 
administers and enforces economic and trade sanctions based on U.S. 
foreign policy and national security goals against targeted foreign 
countries, terrorists, international narcotics traffickers, and those 
engaged in activities related to the proliferation of weapons of mass 
destruction. OFAC acts under the President's wartime and national 
emergency powers, as well as under authority granted by specific 
legislation, to impose controls on transactions and freeze assets under 
U.S. jurisdiction.
    All U.S. persons, including U.S. banks, bank holding companies, and 
nonbank subsidiaries, must comply with OFAC's regulations. OFAC-issued 
regulations apply not only to U.S. banks but also to their foreign 
branches and overseas offices and often to subsidiaries. OFAC 
encourages banks to take a risk-based approach to designing and 
implementing an OFAC compliance program.\12\ In general, the sanctions 
programs that OFAC administers require banks to do the following:
---------------------------------------------------------------------------

    \12\ Framework for OFAC Compliance Commitments. See, https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
---------------------------------------------------------------------------

     Block accounts and other property of specified countries, 
entities, and individuals.
     Prohibit or reject unlicensed trade and financial 
transactions with specified countries, entities, and individuals.
     Report blocked property and rejected transactions to OFAC.

Model Risk Management Guidance

    On April 4, 2011, the Board and the OCC issued guidance for banks 
subject to their supervision on effective model risk management (MRM). 
The FDIC subsequently adopted this guidance in 2017.
    Consistent with the federal banking agencies' support of safe and 
sound banking principles, the MRMG lays out principles for sound MRM in 
three key areas: (1) Model development, implementation, and use; (2) 
model validation; and (3) governance, policies, and controls. The 
guidance describes different MRM responsibilities for different parties 
within a bank, based on their roles, including those building the 
models, those independently reviewing the models, and those providing a 
governance framework for MRM.
    Concurrently with the publication of this RFI, the OCC, Board, and 
FDIC, in consultation with NCUA and FinCEN, have published an 
``Interagency Statement on Model Risk Management for Bank Systems 
Supporting Bank Secrecy Act/Anti-Money Laundering Compliance.'' The 
MRMG principles provide flexibility for banks in developing, 
implementing, and updating models. Banks may use some or all of the 
principles in their risk management processes to support meeting the 
regulatory requirements of an effective BSA/AML compliance program. The 
questions posed in this RFI complement the statement and the agencies 
ask commenters to consider the two documents in conjunction with each 
other.

II. Request for Information Overview

    This RFI seeks information and comment on any aspects of the 
relationship between BSA/AML and OFAC compliance and the principles 
conveyed in the MRMG, including how those principles may support 
compliance and any differences in perceptions regarding their 
application. This RFI also asks for responses to specific questions 
outlined below.

Suggested Topics for Commenters

    To allow the agencies to evaluate suggestions more effectively, the 
agencies request that, where possible, comments include:
     Specific discussion of any suggested changes to guidance 
or regulation, including, in as much detail as possible, the nature of 
the requested change and supporting data or other information on 
impacts, costs, and benefits.
     Specific identification of any aspects of the agencies' 
approach to

[[Page 18981]]

BSA/AML and OFAC compliance as it relates to MRMG that are working well 
and those that could be improved, including, in as much detail as 
possible, supporting data or other information on impacts, costs, and 
benefits.
    The following sections list areas of interest on which commenters 
may want to focus. This list is meant to assist in the formulation of 
comments and is not intended to restrict what may be addressed by the 
public. Commenters may also address matters related to BSA/AML or OFAC 
compliance and the principles conveyed in the MRMG that do not appear 
in the list below. The agencies request that, in addressing these 
questions, commenters identify issues in as much detail as possible and 
provide specific examples where appropriate. Commenters are requested 
to comment on some or all of the questions below and are encouraged to 
indicate in which area your comments are focused. The agencies request 
that commenters providing suggestions note their highest priorities, 
where possible, along with an explanation of how or why certain 
suggestions have been prioritized.
    The term ``BSA/AML and OFAC models'' is used in the questions below 
to describe BSA/AML or OFAC compliance systems that a bank considers 
models, so its interpretation could vary from bank to bank. When 
providing feedback, please note that the MRMG principles provide 
flexibility for banks in developing, implementing, and updating models. 
The extent and nature of model risk varies across models and banks, and 
a bank's risk management framework is most appropriately tailored when 
it is commensurate with the nature and materiality of the risk. The 
agencies are interested in gathering information about industry 
practices and welcome responses regarding individual banks, as well as 
common industry practices.
    1. What types of systems do banks employ to support BSA/AML and 
OFAC compliance that they consider models (e.g., automated account/
transaction monitoring, interdiction, customer risk rating/scoring)? 
What types of methodologies or technologies do these systems use (e.g., 
judgment-based, artificial intelligence or machine learning, or 
statistical methodologies or technologies)?
    2. To what extent are banks' BSA/AML and OFAC models subject to 
separate internal oversight for MRM in addition to the normal BSA/AML 
or OFAC compliance requirements? What additional procedures do banks 
have for BSA and OFAC models beyond BSA/AML or OFAC compliance 
requirements?
    3. To what extent do banks have policies and procedures, either 
specific to BSA/AML and OFAC models or applicable to models generally, 
governing the validation of BSA/AML and OFAC models, including, but not 
limited to, the validation frequency, minimum standards, and areas of 
coverage (i.e., which scenarios, thresholds, or components of the model 
to cover)?
    4. To what extent are the risk management principles discussed in 
the MRMG appropriate for BSA/AML and OFAC models? Please explain why 
certain principles may be more or less appropriate for bank operations 
of varying size and complexity? Are there other principles not 
discussed in the MRMG that would be appropriate for banks to consider?
    5. Some bankers have reported that banks' application of MRM to 
BSA/AML and OFAC models has resulted in substantial delays in 
implementing, updating, and improving systems. Please describe any 
factors that might create such delays, including specific examples.\13\
---------------------------------------------------------------------------

    \13\ The MRMG recognizes that banks assess different models in 
different ways: ``The nature of testing and analysis will depend on 
the type of model and will be judged by different criteria depending 
on the context.''
---------------------------------------------------------------------------

    6. Some bankers have reported that banks' application of MRM to 
BSA/AML and OFAC models has been an impediment to developing and 
implementing more innovative and effective approaches to BSA/AML and 
OFAC compliance. Do banks consider MRM relative to BSA/AML an 
impediment to innovation? If yes, please describe the factors that 
create the impediments, including specific examples.\14\
---------------------------------------------------------------------------

    \14\ In the MRMG, a key determinant of the extent of validation 
activities is ``materiality.'' Banks may choose to implement less 
material changes to models without revalidation.
---------------------------------------------------------------------------

    7. To what extent do banks' MRM frameworks include testing and 
validation processes that are more extensive than reviews conducted to 
meet the independent testing requirement of the BSA? Please explain.
    8. To what extent do banks use an outside party to perform 
validations of BSA/AML and OFAC compliance systems? Does the validation 
only include BSA/AML and OFAC models, as opposed to other types of 
models used by the banks? Why are outside parties used to perform 
validation? \15\
---------------------------------------------------------------------------

    \15\ The decision to use an outside party is entirely the bank's 
own, in accordance with the bank's third-party risk management and 
model risk management requirements.
---------------------------------------------------------------------------

    9. To what extent do banks employ internally developed BSA/AML or 
OFAC compliance systems, third-party systems, or both? What challenges 
arise with such systems considering the principles discussed in the 
MRMG? Are there challenges that are unique to any one of these systems?
    10. To what extent do banks' MRM frameworks apply to all models, 
including BSA/AML and OFAC models? Why or why not?
    11. Specific to suspicious activity monitoring systems, the 
agencies are gathering information about industry practices. The 
agencies welcome responses to the following, regarding individual bank 
and common industry practices.
    a. Suspicious activity monitoring system validation:
    i. To what extent do banks validate such systems before 
implementation?
    ii. Are banks able to implement changes without fully validating 
such systems? If so, please describe the circumstances.
    iii. How frequently do banks validate after implementation?
    iv. To what extent do banks validate after implementing changes to 
existing systems (e.g., new scenarios, threshold changes, or adding/
changing customer peers or segments)? Please describe the circumstances 
in which you think this would be appropriate.
    v. How do banks validate such systems?
    vi. What, if any, compensating controls do banks use if they have 
not had an opportunity to validate such systems?
    b. Suspicious activity monitoring system benchmarking: What, if 
any, external or internal data or models do banks use to compare their 
suspicious activity systems' inputs and outputs for purposes of 
benchmarking?
    c. Suspicious activity monitoring system back-testing: How do banks 
attempt to compare outcomes from suspicious activity systems with 
actual outcomes, given that law enforcement outcomes are often unknown?
    d. Suspicious activity monitoring system sensitivity analysis: How 
do banks check the impact of changes to inputs, assumptions, or other 
factors in their systems to ensure they fall within an expected range?
    12. To what extent do banks calibrate the scope and frequency of 
MRM testing and validation for BSA/AML and OFAC

[[Page 18982]]

models based on their materiality? How do they do so?

Blake J. Paulson,
Acting Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve 
System.
Ann Misback,
Secretary of the Board.
Federal Deposit Insurance Corporation.

    Dated at Washington, DC, on or about January 22, 2021.
Debra A. Decker,
Deputy Executive Secretary.
Melane Conyers-Ausbrooks,
Secretary of the Board, National Credit Union Administration.
AnnaLou Tirol,
Deputy Director, Financial Crimes Enforcement Network.
[FR Doc. 2021-07428 Filed 4-9-21; 8:45 am]
BILLING CODE 6210-01-P; 6705-01-P; 4810-33-P