Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control Requirements, 18978-18982 [2021-07428]

Download as PDF 18978 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency [Docket No. OCC–2020–0047] FEDERAL RESERVE BOARD [Docket No. OP–1744] FEDERAL DEPOSIT INSURANCE CORPORATION RIN 3064–ZA23 NATIONAL CREDIT UNION ADMINISTRATION [Docket No. NCUA–2021–0007] RIN 3133–AF33 DEPARTMENT OF THE TREASURY Financial Crimes Enforcement Network [Docket No. FINCEN–2021–0004] Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance With Bank Secrecy Act/ Anti-Money Laundering and Office of Foreign Assets Control Requirements Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), and Financial Crimes Enforcement Network (FinCEN).1 ACTION: Notice and request for information and comment. AGENCY: The OCC, Board, FDIC, NCUA, and FinCEN (collectively, the agencies), seek information and comment from interested parties on the extent to which the principles discussed in the interagency Supervisory Guidance on Model Risk Management (referred to as the ‘‘model risk management guidance,’’ or MRMG) support compliance by banks with Bank Secrecy Act/anti-money laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) requirements. The agencies seek this information to enhance their understanding of bank practices in these areas and determine whether additional explanation or clarification may increase transparency, effectiveness, or efficiency. The OCC, khammond on DSKJM1Z7X2PROD with NOTICES SUMMARY: 1 This Request for Information primarily focuses on the institutions supervised by the Board, FDIC, NCUA, and OCC. FinCEN’s BSA regulations apply to a broader group of financial institutions and any information submitted by financial institutions other than banks will be collected on behalf of FinCEN. VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 Board, and FDIC, in consultation with NCUA and FinCEN, are concurrently issuing a statement to clarify that the risk management principles discussed in the MRMG are appropriate considerations in the context of the BSA/AML statutory and regulatory requirements. DATES: Comments must be received by June 11, 2021. ADDRESSES: Interested parties are invited to submit written comments to: OCC: Commenters are encouraged to submit comments through the Federal eRulemaking Portal. Please use the title ‘‘Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance with Bank Secrecy Act/ Anti-Money Laundering and Office of Foreign Assets Control Requirements’’ to facilitate the organization and distribution of the comments. You may submit comments by any of the following methods: • Federal eRulemaking Portal— Regulations.gov: Go to https:// regulations.gov/. Enter ‘‘Docket ID OCC– 2020–0047’’ in the Search Box and click ‘‘Search.’’ Public comments can be submitted via the ‘‘Comment’’ box below the displayed document information or by clicking on the document title and then clicking the ‘‘Comment’’ box on the top-left side of the screen. For help with submitting effective comments please click on ‘‘Commenter’s Checklist.’’ For assistance with the Regulations.gov site, please call (877) 378–5457 (toll free) or (703) 454–9859 Monday–Friday, 9 a.m.– 5 p.m. ET or email regulations@ erulemakinghelpdesk.com. • Mail: Chief Counsel’s Office, Attention: Comment Processing, Office of the Comptroller of the Currency, 400 7th Street SW, Suite 3E–218, Washington, DC 20219. • Hand Delivery/Courier: 400 7th Street SW, Suite 3E–218, Washington, DC 20219. Instructions: You must include ‘‘OCC’’ as the agency name and ‘‘Docket ID OCC–2020–0047’’ in your comment. In general, the OCC will enter all comments received into the docket and publish the comments on the Regulations.gov website without change, including any business or personal information provided such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that PO 00000 Frm 00043 Fmt 4703 Sfmt 4703 you consider confidential or inappropriate for public disclosure. You may review comments and other related materials that pertain to this action by the following method: • Viewing Comments Electronically— Regulations.gov: Go to https:// regulations.gov/. Enter ‘‘Docket ID OCC– 2020–0047’’ in the Search Box and click ‘‘Search.’’ Click on the ‘‘Documents’’ tab and then the document’s title. After clicking the document’s title, click the ‘‘Browse Comments’’ tab. Comments can be viewed and filtered by clicking on the ‘‘Sort By’’ drop-down on the right side of the screen or the ‘‘Refine Results’’ options on the left side of the screen. Supporting materials can be viewed by clicking on the ‘‘Documents’’ tab and filtered by clicking on the ‘‘Sort By’’ drop-down on the right side of the screen or the ‘‘Refine Documents Results’’ options on the left side of the screen.’’ For assistance with the Regulations.gov site, please call (877) 378–5457 (toll free) or (703) 454–9859 Monday–Friday, 9 a.m.–5 p.m. ET or email regulations@ erulemakinghelpdesk.com. The docket may be viewed after the close of the comment period in the same manner as during the comment period. Board: You may submit comments, identified by Docket No. OP–1744 by any of the following methods: • Agency Website: http:// www.federalreserve.gov. Follow the instructions for submitting comments at http://www.federalreserve.gov/ generalinfo/foia/ProposedRegs.cfm. • Email: regs.comments@ federalreserve.gov. Include the docket number in the subject line of the message. • Fax: (202) 452–3819 or (202) 452– 3102. • Mail: Ann Misback, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue NW, Washington, DC 20551. • All public comments will be made available on the Board’s website at http://www.federalreserve.gov/ generalinfo/foia/ProposedRegs.cfm as submitted, unless modified for technical reasons or to remove personally identifiable information at the commenter’s request. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper in Room 146, 1709 New York Avenue NW, Washington, DC 20006, between 9:00 a.m. and 5:00 p.m. on weekdays. FDIC: You may submit comments on the request for information and E:\FR\FM\12APN1.SGM 12APN1 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices comment using any of the following methods: • Agency Website: https:// www.fdic.gov/regulations/laws/federal/. Follow the instructions for submitting comments on the agency’s website. • Email: Comments@fdic.gov. Include RIN 3064–ZA23 in the subject line of the message. • Mail: James P. Sheesley, Assistant Executive Secretary, Attention: Comments—RIN 3064–ZA23, Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429. • Hand Delivery/Courier: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street NW building (located on F Street) on business days between 7:00 a.m. and 5:00 p.m. • Public Inspection: All public comments received, including any personal information provided, will be posted generally without change to https://www.fdic.gov/regulations/laws/ federal/. NCUA: You may submit comments to the NCUA, Docket No. NCUA–2021– 0007, by any of the methods set forth below. Commenters are encouraged to submit comments through the Federal eRulemaking Portal, if possible. Please use the title ‘‘Request for Information and Comment: Extent to Which Model Risk Management Principles Support Compliance with Bank Secrecy Act/ Anti-Money Laundering and Office of Foreign Assets Control Requirements’’ to facilitate the organization and distribution of the comments. (Please send comments by one method only): • Federal eRulemaking Portal— www.regulations.gov. Follow the instructions for submitting comments. • Fax: (703) 518–6319. • Mail: Address to Melane ConyersAusbrooks, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314–3428. In general, the NCUA will enter all comments received into the docket and publish the comments on the Regulations.gov website without change, including any business or personal information that you provide such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure. You may review comments and other related materials that pertain to this VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 Request for Information and comment by any of the following methods: • Viewing Comments Electronically: You may view all public comments on the Federal eRulemaking Portal at http://www.regulations.gov as submitted, except for those NCUA cannot post for technical reasons. • Due to social distancing measures in effect, the usual opportunity to inspect paper copies of comments in the NCUA’s law library is not currently available. After social distancing measures are relaxed, visitors may make an appointment to review paper copies by calling (703) 518–6540 or emailing OGCMail@ncua.gov. FinCEN: Comments may be submitted by any of the following methods: • Federal E-rulemaking Portal: http:// www.regulations.gov. Follow the instructions for submitting comments. Refer to Docket Number FINCEN–2021– 0004. • Mail: Policy Division, Financial Crimes Enforcement Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN–2021–0004. Please submit comments by one method only. Comments submitted in response to this Request for Information and Comment will become a matter of public record. Therefore, you should submit only information that you wish to make publicly available. FOR FURTHER INFORMATION CONTACT: OCC: James Vivenzio, BSA/AML Policy Director, (202) 649–5470; Jina Cheon, Counsel; or Henry Barkhausen, Counsel, Chief Counsel’s Office, (202) 649–5490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219 Board: Suzanne Williams, Deputy Associate Director, Specialized Policy; Koko Ives, Manager, BSA/AML Risk, (202) 973–6163; Lee Davis, Lead Financial Institution Policy Analyst, (202) 912–4350, Division of Supervision and Regulation; Jason Gonzalez, Assistant General Counsel, (202) 452– 3275; Bernard Kim, Senior Counsel, (202) 452–3083, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551. FDIC: Lisa Arquette, Associate Director, (202) 898–3673, larquette@ fdic.gov, Division of Risk Management Supervision; Jennifer Maree, Counsel, (202) 898–6543, jemaree@fdic.gov, Legal Division. NCUA: Timothy Segerson, Deputy Director; Andrew Bludorn, Bank Secrecy Act Officer, Office of Examination & Insurance, or Ian Marenna, Associate General Counsel; Chrisanthy Loizos, Senior Trial PO 00000 Frm 00044 Fmt 4703 Sfmt 4703 18979 Attorney, Office of General Counsel, at 1775 Duke Street, Alexandria, VA 22314 or telephone: (703) 518–6300 or (703) 518–6540. FinCEN: The FinCEN Regulatory Support Section at 1–800–767–2825 or electronically at frc@fincen.gov. SUPPLEMENTARY INFORMATION: I. Background The sound risk management principles discussed in the MRMG 2 are important considerations for the development and management of systems used by banks 3 to assist in complying with the requirements of the BSA/AML laws and regulations. Whether a bank characterizes a BSA/ AML system 4 (or portions of that system) as a model, a tool, or an application, risk management of these systems should be consistent with safety and soundness principles,5 and the system should promote compliance with applicable laws and regulations. The MRMG is premised upon sound risk management and governance principles, several of which are referenced in that guidance, such as adequate governance, development, documentation, testing, performance monitoring, validation, and effective challenge. Stakeholders within the banking industry have questioned how the risk management principles described in the MRMG relate to systems or models used to comply with BSA/AML laws and regulations. The OCC, Board, and FDIC, in consultation with NCUA and FinCEN, are concurrently issuing a statement with this Request for Information (RFI) to clarify that 2 Refer to the ‘‘Supervisory Guidance on Model Risk Management,’’ Federal Reserve Supervision and Regulation Letter 11–7, https:// www.federalreserve.gov/supervisionreg/srletters/ srletters.htm; OCC Bulletin 2011–12, https:// www.occ.gov/news-issuances/bulletins/2011/ bulletin-2011-12.html; and FDIC Financial Institution Letter-22–2017, https://www.fdic.gov/ news/financial-institution-letters/2017/ fil17022.html. 3 The MRMG does not apply to credit unions, as it was not issued by the NCUA. As used in this Request for Information, however, the term ‘‘bank’’ includes each agent, agency, branch, or office within the United States of banks, credit unions, savings associations, and foreign banks as defined in Bank Secrecy Act regulations at 31 CFR 1010.100(d). 4 In the BSA/AML context, the term ‘‘system’’ includes a bank’s policies, procedures, or processes to identify, research and report unusual activity, typically known as suspicious activity monitoring and reporting systems, and are critical internal controls for ensuring an effective BSA/AML compliance program. 5 Refer to the Interagency Guidelines Establishing Standards for Safety and Soundness, 12 CFR 208, Appendix D–1 (Federal Reserve); 12 CFR 364, Appendix A (FDIC); and 12 CFR 30, Appendix A (OCC). E:\FR\FM\12APN1.SGM 12APN1 18980 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices regardless of how a BSA/AML system is characterized, sound risk management is important, and banks may use the principles discussed in the MRMG to establish, implement, and maintain their risk management framework. In this RFI, the agencies seek comments and information from interested parties on the extent to which the principles discussed in the MRMG support compliance by banks with BSA/ AML laws and regulations. This RFI also seeks feedback on the extent to which the MRMG principles support compliance by banks related to models and systems used in connection with OFAC requirements. The agencies seek this information to enhance their understanding of bank practices in these areas and determine whether additional explanation or clarification may increase transparency, effectiveness, or efficiency. BSA Requirements The BSA 6 is intended to safeguard the U.S. financial system and the financial institutions that make up that system from the abuses of financial crime, including money laundering, terrorist financing, and other illicit financial activity. FinCEN, a bureau of the U.S. Department of the Treasury, is the delegated administrator of the BSA. In this capacity, FinCEN issues regulations and interpretive guidance, provides outreach to regulated industries, supports examinations, and pursues civil enforcement actions when warranted. FinCEN relies on the Board, FDIC, NCUA and OCC (the ‘‘federal banking agencies’’) to examine banks 7 within their respective jurisdictions for compliance with the BSA. The federal banking agencies are responsible for the oversight of the various banking entities operating in the United States, including U.S. branches and agencies of foreign banks. The federal banking agencies’ regulations require each bank under their supervision to establish and maintain a BSA compliance program, as does the BSA itself.8 At a minimum, the BSA/ AML compliance program must include: CFR 1010.100(e). term ‘‘bank’’ is used here as in Bank Secrecy Act regulations at 31 CFR 1010.100(d). 8 12 CFR 21.21 (OCC), 12 CFR 208.63, 12 CFR 211.5(m) and 12 CFR 211.24(j) (Board); 12 CFR 326.8 (FDIC); 12 CFR 748.2(b) (NCUA). As set forth in 31 CFR 1020.210 (FinCEN), a bank regulated by one of the federal functional regulators is deemed to have satisfied FinCEN’s AML program requirements if the bank develops and maintains a BSA compliance program that complies with the regulation of its federal functional regulator governing such programs. • Internal controls to assure ongoing compliance; • Independent testing for compliance; • Designation of an individual or individuals, also referred to as the BSA/ AML compliance officer(s), responsible for coordinating and monitoring day-today compliance; and • Training for appropriate personnel. A bank also has requirements related to suspicious activity reporting,9 customer identification,10 customer due diligence, and beneficial ownership.11 BSA/AML systems are often used to assist the bank in meeting these requirements. Office of Foreign Assets Control Requirements OFAC is an office of the U.S. Department of the Treasury that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction. OFAC acts under the President’s wartime and national emergency powers, as well as under authority granted by specific legislation, to impose controls on transactions and freeze assets under U.S. jurisdiction. All U.S. persons, including U.S. banks, bank holding companies, and nonbank subsidiaries, must comply with OFAC’s regulations. OFAC-issued regulations apply not only to U.S. banks but also to their foreign branches and overseas offices and often to subsidiaries. OFAC encourages banks to take a risk-based approach to designing and implementing an OFAC compliance program.12 In general, the sanctions programs that OFAC administers require banks to do the following: • Block accounts and other property of specified countries, entities, and individuals. • Prohibit or reject unlicensed trade and financial transactions with specified countries, entities, and individuals. • Report blocked property and rejected transactions to OFAC. 6 31 khammond on DSKJM1Z7X2PROD with NOTICES 7 The VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 9 12 CFR 21.11 and 12 CFR 163.180(d) (OCC); 12 CFR 208.62, 12 CFR 211.5(k), 12 CFR 211.24(f)), and 12 CFR 225.4(f) (Board); 12 CFR 353 (FDIC); 12 CFR 748.1(c) (NCUA); and 31 CFR 1020.320 (FinCEN). 10 12 CFR 21.21(c)(2) (OCC); 12 CFR 208.63(b)(2), 211.5(m)(2), and 211.24(j)(2) (Board); 12 CFR 326.8(b)(2) (FDIC); 12 CFR 748.2(b)(2) (NCUA); and 31 CFR 1020.220 (FinCEN). 11 31 CFR 1020.210(a)(2)(v) and 31 CFR 1010.230. 12 Framework for OFAC Compliance Commitments. See, https://home.treasury.gov/ system/files/126/framework_ofac_cc.pdf. PO 00000 Frm 00045 Fmt 4703 Sfmt 4703 Model Risk Management Guidance On April 4, 2011, the Board and the OCC issued guidance for banks subject to their supervision on effective model risk management (MRM). The FDIC subsequently adopted this guidance in 2017. Consistent with the federal banking agencies’ support of safe and sound banking principles, the MRMG lays out principles for sound MRM in three key areas: (1) Model development, implementation, and use; (2) model validation; and (3) governance, policies, and controls. The guidance describes different MRM responsibilities for different parties within a bank, based on their roles, including those building the models, those independently reviewing the models, and those providing a governance framework for MRM. Concurrently with the publication of this RFI, the OCC, Board, and FDIC, in consultation with NCUA and FinCEN, have published an ‘‘Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance.’’ The MRMG principles provide flexibility for banks in developing, implementing, and updating models. Banks may use some or all of the principles in their risk management processes to support meeting the regulatory requirements of an effective BSA/AML compliance program. The questions posed in this RFI complement the statement and the agencies ask commenters to consider the two documents in conjunction with each other. II. Request for Information Overview This RFI seeks information and comment on any aspects of the relationship between BSA/AML and OFAC compliance and the principles conveyed in the MRMG, including how those principles may support compliance and any differences in perceptions regarding their application. This RFI also asks for responses to specific questions outlined below. Suggested Topics for Commenters To allow the agencies to evaluate suggestions more effectively, the agencies request that, where possible, comments include: • Specific discussion of any suggested changes to guidance or regulation, including, in as much detail as possible, the nature of the requested change and supporting data or other information on impacts, costs, and benefits. • Specific identification of any aspects of the agencies’ approach to E:\FR\FM\12APN1.SGM 12APN1 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices BSA/AML and OFAC compliance as it relates to MRMG that are working well and those that could be improved, including, in as much detail as possible, supporting data or other information on impacts, costs, and benefits. The following sections list areas of interest on which commenters may want to focus. This list is meant to assist in the formulation of comments and is not intended to restrict what may be addressed by the public. Commenters may also address matters related to BSA/AML or OFAC compliance and the principles conveyed in the MRMG that do not appear in the list below. The agencies request that, in addressing these questions, commenters identify issues in as much detail as possible and provide specific examples where appropriate. Commenters are requested to comment on some or all of the questions below and are encouraged to indicate in which area your comments are focused. The agencies request that commenters providing suggestions note their highest priorities, where possible, along with an explanation of how or why certain suggestions have been prioritized. The term ‘‘BSA/AML and OFAC models’’ is used in the questions below to describe BSA/AML or OFAC compliance systems that a bank considers models, so its interpretation could vary from bank to bank. When providing feedback, please note that the MRMG principles provide flexibility for banks in developing, implementing, and updating models. The extent and nature of model risk varies across models and banks, and a bank’s risk management framework is most appropriately tailored when it is commensurate with the nature and materiality of the risk. The agencies are interested in gathering information about industry practices and welcome responses regarding individual banks, as well as common industry practices. 1. What types of systems do banks employ to support BSA/AML and OFAC compliance that they consider models (e.g., automated account/transaction monitoring, interdiction, customer risk rating/scoring)? What types of methodologies or technologies do these systems use (e.g., judgment-based, artificial intelligence or machine learning, or statistical methodologies or technologies)? 2. To what extent are banks’ BSA/ AML and OFAC models subject to separate internal oversight for MRM in addition to the normal BSA/AML or OFAC compliance requirements? What additional procedures do banks have for BSA and OFAC models beyond BSA/ VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 AML or OFAC compliance requirements? 3. To what extent do banks have policies and procedures, either specific to BSA/AML and OFAC models or applicable to models generally, governing the validation of BSA/AML and OFAC models, including, but not limited to, the validation frequency, minimum standards, and areas of coverage (i.e., which scenarios, thresholds, or components of the model to cover)? 4. To what extent are the risk management principles discussed in the MRMG appropriate for BSA/AML and OFAC models? Please explain why certain principles may be more or less appropriate for bank operations of varying size and complexity? Are there other principles not discussed in the MRMG that would be appropriate for banks to consider? 5. Some bankers have reported that banks’ application of MRM to BSA/AML and OFAC models has resulted in substantial delays in implementing, updating, and improving systems. Please describe any factors that might create such delays, including specific examples.13 6. Some bankers have reported that banks’ application of MRM to BSA/AML and OFAC models has been an impediment to developing and implementing more innovative and effective approaches to BSA/AML and OFAC compliance. Do banks consider MRM relative to BSA/AML an impediment to innovation? If yes, please describe the factors that create the impediments, including specific examples.14 7. To what extent do banks’ MRM frameworks include testing and validation processes that are more extensive than reviews conducted to meet the independent testing requirement of the BSA? Please explain. 8. To what extent do banks use an outside party to perform validations of BSA/AML and OFAC compliance systems? Does the validation only include BSA/AML and OFAC models, as opposed to other types of models used by the banks? Why are outside parties used to perform validation? 15 13 The MRMG recognizes that banks assess different models in different ways: ‘‘The nature of testing and analysis will depend on the type of model and will be judged by different criteria depending on the context.’’ 14 In the MRMG, a key determinant of the extent of validation activities is ‘‘materiality.’’ Banks may choose to implement less material changes to models without revalidation. 15 The decision to use an outside party is entirely the bank’s own, in accordance with the bank’s third-party risk management and model risk management requirements. PO 00000 Frm 00046 Fmt 4703 Sfmt 4703 18981 9. To what extent do banks employ internally developed BSA/AML or OFAC compliance systems, third-party systems, or both? What challenges arise with such systems considering the principles discussed in the MRMG? Are there challenges that are unique to any one of these systems? 10. To what extent do banks’ MRM frameworks apply to all models, including BSA/AML and OFAC models? Why or why not? 11. Specific to suspicious activity monitoring systems, the agencies are gathering information about industry practices. The agencies welcome responses to the following, regarding individual bank and common industry practices. a. Suspicious activity monitoring system validation: i. To what extent do banks validate such systems before implementation? ii. Are banks able to implement changes without fully validating such systems? If so, please describe the circumstances. iii. How frequently do banks validate after implementation? iv. To what extent do banks validate after implementing changes to existing systems (e.g., new scenarios, threshold changes, or adding/changing customer peers or segments)? Please describe the circumstances in which you think this would be appropriate. v. How do banks validate such systems? vi. What, if any, compensating controls do banks use if they have not had an opportunity to validate such systems? b. Suspicious activity monitoring system benchmarking: What, if any, external or internal data or models do banks use to compare their suspicious activity systems’ inputs and outputs for purposes of benchmarking? c. Suspicious activity monitoring system back-testing: How do banks attempt to compare outcomes from suspicious activity systems with actual outcomes, given that law enforcement outcomes are often unknown? d. Suspicious activity monitoring system sensitivity analysis: How do banks check the impact of changes to inputs, assumptions, or other factors in their systems to ensure they fall within an expected range? 12. To what extent do banks calibrate the scope and frequency of MRM testing and validation for BSA/AML and OFAC E:\FR\FM\12APN1.SGM 12APN1 18982 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices models based on their materiality? How do they do so? Blake J. Paulson, Acting Comptroller of the Currency. By order of the Board of Governors of the Federal Reserve System. Ann Misback, Secretary of the Board. Federal Deposit Insurance Corporation. Dated at Washington, DC, on or about January 22, 2021. Debra A. Decker, Deputy Executive Secretary. Melane Conyers-Ausbrooks, Secretary of the Board, National Credit Union Administration. AnnaLou Tirol, Deputy Director, Financial Crimes Enforcement Network. [FR Doc. 2021–07428 Filed 4–9–21; 8:45 am] BILLING CODE 6210–01–P; 6705–01–P; 4810–33–P FEDERAL RESERVE SYSTEM Solicitation of Applications for Membership on the Community Advisory Council Board of Governors of the Federal Reserve System. ACTION: Notice. AGENCY: The Board of Governors of the Federal Reserve System (Board) established the Community Advisory Council (the ‘‘CAC’’) as an advisory committee to the Board on issues affecting consumers and communities. This Notice advises individuals who wish to serve as CAC members of the opportunity to be considered for the CAC. DATES: Applications received between Monday, April 12, 2021 and Friday, June 11, 2021 will be considered for selection to the CAC for terms beginning January 1, 2022. ADDRESSES: Individuals who are interested in being considered for the CAC may submit an application via the Board’s website or via email. The application can be accessed at https:// www.federalreserve.gov/secure/CAC/ Application/. Emailed submissions can be sent to CCA-CAC@frb.gov. The information required for consideration is described below. If electronic submission is not feasible, submissions may be mailed to the Board of Governors of the Federal Reserve System, Attn: Community Advisory Council, Mail Stop I–305, 20th Street and Constitution Ave. NW, Washington, DC 20551. FOR FURTHER INFORMATION CONTACT: Jennifer Fernandez, Community khammond on DSKJM1Z7X2PROD with NOTICES SUMMARY: VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 Development Analyst, Division of Consumer and Community Affairs, Board of Governors of the Federal Reserve System, 20th Street and Constitution Ave. NW, Washington, DC 20551, or (202) 452–2412, or CCA-CAC@ frb.gov. Telecommunications Device for the Deaf (TDD) users may contact (202) 263–4869. SUPPLEMENTARY INFORMATION: The Board created the Community Advisory Council (CAC) as an advisory committee to the Board on issues affecting consumers and communities. The CAC is composed of a diverse group of experts and representatives of consumer and community development organizations and interests, including from such fields as affordable housing, community and economic development, employment and labor, financial services and technology, small business, and asset and wealth building. CAC members meet semiannually with the members of the Board in Washington, DC to provide a range of perspectives on the economic circumstances and financial services needs of consumers and communities, with a particular focus on the concerns of low- and moderate-income consumers and communities. The CAC complements two of the Board’s other advisory councils—the Community Depository Institutions Advisory Council (CDIAC) and the Federal Advisory Council (FAC)—whose members represent depository institutions. The CAC serves as a mechanism to gather feedback and perspectives on a wide range of policy matters and emerging issues of interest to the Board of Governors and aligns with the Federal Reserve’s mission and current responsibilities. These responsibilities include, but are not limited to, banking supervision and regulatory compliance (including the enforcement of consumer protection laws), systemic risk oversight and monetary policy decision-making, and, in conjunction with the Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC), responsibility for implementation of the Community Reinvestment Act (CRA). This Notice advises individuals of the opportunity to be considered for appointment to the CAC. To assist with the selection of CAC members, the Board will consider the information submitted by the candidate along with other publicly available information that it independently obtains. Council Size and Terms The CAC consists of at least 15 members. The Board will select members in the fall of 2021 to replace PO 00000 Frm 00047 Fmt 4703 Sfmt 4703 current members whose terms will expire on December 31, 2021. The newly appointed members will serve three-year terms that will begin on January 1, 2022. If a member vacates the CAC before the end of the three-year term, a replacement member will be appointed to fill the unexpired term. Application Candidates may submit applications by one of three options: • Online: Complete the application form on the Board’s website at https:// www.federalreserve.gov/secure/CAC/ Application/ . • Email: Submit all required information to CCA-CAC@frb.gov. • Postal Mail: If electronic submission is not feasible, submissions may be mailed to the Board of Governors of the Federal Reserve System, Attn: Community Advisory Council, Mail Stop I–305, 20th Street and Constitution Ave. NW, Washington, DC 20551. Interested parties can view the current Privacy Act Statement at: https:// www.federalreserve.gov/aboutthefed/ cac-privacy.htm Below are the application fields. Asterisks (*) indicate required fields. • First and Last Name* • Email Address* • Phone Number* • Postal Mail Street Address* • Postal Mail City* • Postal Mail State, Territory, or Federal District* • Postal Zip Code* • Organization* • Title* • Organization Type (select one)* Æ For Profit D Community Development Financial Institution (CDFI) D Non-CDFI Financial Institution D Financial Services D Professional Services D Other Æ Non-Profit D Advocacy D Association D Community Development Financial Institution (CDFI) D Educational Institution D Foundation D Service Provider D Think Tank/Policy Organization D Other Æ Government • Primary Area of Expertise (select one)* Æ Civil rights Æ Community development finance Æ Community reinvestment and stabilization Æ Consumer protection Æ Economic and small business development E:\FR\FM\12APN1.SGM 12APN1

Agencies

[Federal Register Volume 86, Number 68 (Monday, April 12, 2021)]
[Notices]
[Pages 18978-18982]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-07428]



[[Page 18978]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

[Docket No. OCC-2020-0047]

FEDERAL RESERVE BOARD

[Docket No. OP-1744]

FEDERAL DEPOSIT INSURANCE CORPORATION

RIN 3064-ZA23

NATIONAL CREDIT UNION ADMINISTRATION

[Docket No. NCUA-2021-0007]
RIN 3133-AF33

DEPARTMENT OF THE TREASURY

Financial Crimes Enforcement Network

[Docket No. FINCEN-2021-0004]


Request for Information and Comment: Extent to Which Model Risk 
Management Principles Support Compliance With Bank Secrecy Act/Anti-
Money Laundering and Office of Foreign Assets Control Requirements

AGENCY: Office of the Comptroller of the Currency (OCC), Board of 
Governors of the Federal Reserve System (Board), Federal Deposit 
Insurance Corporation (FDIC), National Credit Union Administration 
(NCUA), and Financial Crimes Enforcement Network (FinCEN).\1\
---------------------------------------------------------------------------

    \1\ This Request for Information primarily focuses on the 
institutions supervised by the Board, FDIC, NCUA, and OCC. FinCEN's 
BSA regulations apply to a broader group of financial institutions 
and any information submitted by financial institutions other than 
banks will be collected on behalf of FinCEN.

ACTION: Notice and request for information and comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, NCUA, and FinCEN (collectively, the 
agencies), seek information and comment from interested parties on the 
extent to which the principles discussed in the interagency Supervisory 
Guidance on Model Risk Management (referred to as the ``model risk 
management guidance,'' or MRMG) support compliance by banks with Bank 
Secrecy Act/anti-money laundering (BSA/AML) and Office of Foreign 
Assets Control (OFAC) requirements. The agencies seek this information 
to enhance their understanding of bank practices in these areas and 
determine whether additional explanation or clarification may increase 
transparency, effectiveness, or efficiency. The OCC, Board, and FDIC, 
in consultation with NCUA and FinCEN, are concurrently issuing a 
statement to clarify that the risk management principles discussed in 
the MRMG are appropriate considerations in the context of the BSA/AML 
statutory and regulatory requirements.

DATES: Comments must be received by June 11, 2021.

ADDRESSES: Interested parties are invited to submit written comments 
to:
    OCC: Commenters are encouraged to submit comments through the 
Federal eRulemaking Portal. Please use the title ``Request for 
Information and Comment: Extent to Which Model Risk Management 
Principles Support Compliance with Bank Secrecy Act/Anti-Money 
Laundering and Office of Foreign Assets Control Requirements'' to 
facilitate the organization and distribution of the comments. You may 
submit comments by any of the following methods:
     Federal eRulemaking Portal--Regulations.gov: Go to https://regulations.gov/. Enter ``Docket ID OCC-2020-0047'' in the Search Box 
and click ``Search.'' Public comments can be submitted via the 
``Comment'' box below the displayed document information or by clicking 
on the document title and then clicking the ``Comment'' box on the top-
left side of the screen. For help with submitting effective comments 
please click on ``Commenter's Checklist.'' For assistance with the 
Regulations.gov site, please call (877) 378-5457 (toll free) or (703) 
454-9859 Monday-Friday, 9 a.m.-5 p.m. ET or email 
[email protected].
     Mail: Chief Counsel's Office, Attention: Comment 
Processing, Office of the Comptroller of the Currency, 400 7th Street 
SW, Suite 3E-218, Washington, DC 20219.
     Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, 
Washington, DC 20219.
    Instructions: You must include ``OCC'' as the agency name and 
``Docket ID OCC-2020-0047'' in your comment. In general, the OCC will 
enter all comments received into the docket and publish the comments on 
the Regulations.gov website without change, including any business or 
personal information provided such as name and address information, 
email addresses, or phone numbers. Comments received, including 
attachments and other supporting materials, are part of the public 
record and subject to public disclosure. Do not include any information 
in your comment or supporting materials that you consider confidential 
or inappropriate for public disclosure.
    You may review comments and other related materials that pertain to 
this action by the following method:
     Viewing Comments Electronically--Regulations.gov: Go to 
https://regulations.gov/. Enter ``Docket ID OCC-2020-0047'' in the 
Search Box and click ``Search.'' Click on the ``Documents'' tab and 
then the document's title. After clicking the document's title, click 
the ``Browse Comments'' tab. Comments can be viewed and filtered by 
clicking on the ``Sort By'' drop-down on the right side of the screen 
or the ``Refine Results'' options on the left side of the screen. 
Supporting materials can be viewed by clicking on the ``Documents'' tab 
and filtered by clicking on the ``Sort By'' drop-down on the right side 
of the screen or the ``Refine Documents Results'' options on the left 
side of the screen.'' For assistance with the Regulations.gov site, 
please call (877) 378-5457 (toll free) or (703) 454-9859 Monday-Friday, 
9 a.m.-5 p.m. ET or email [email protected].
    The docket may be viewed after the close of the comment period in 
the same manner as during the comment period.
    Board: You may submit comments, identified by Docket No. OP-1744 by 
any of the following methods:
     Agency Website: http://www.federalreserve.gov. Follow the 
instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
     Email: [email protected]. Include the 
docket number in the subject line of the message.
     Fax: (202) 452-3819 or (202) 452-3102.
     Mail: Ann Misback, Secretary, Board of Governors of the 
Federal Reserve System, 20th Street and Constitution Avenue NW, 
Washington, DC 20551.
     All public comments will be made available on the Board's 
website at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, unless modified for technical reasons or 
to remove personally identifiable information at the commenter's 
request. Accordingly, your comments will not be edited to remove any 
identifying or contact information. Public comments may also be viewed 
electronically or in paper in Room 146, 1709 New York Avenue NW, 
Washington, DC 20006, between 9:00 a.m. and 5:00 p.m. on weekdays.
    FDIC: You may submit comments on the request for information and

[[Page 18979]]

comment using any of the following methods:
     Agency Website: https://www.fdic.gov/regulations/laws/federal/. Follow the instructions for submitting comments on the 
agency's website.
     Email: [email protected]. Include RIN 3064-ZA23 in the 
subject line of the message.
     Mail: James P. Sheesley, Assistant Executive Secretary, 
Attention: Comments--RIN 3064-ZA23, Federal Deposit Insurance 
Corporation, 550 17th Street NW, Washington, DC 20429.
     Hand Delivery/Courier: Comments may be hand-delivered to 
the guard station at the rear of the 550 17th Street NW building 
(located on F Street) on business days between 7:00 a.m. and 5:00 p.m.
     Public Inspection: All public comments received, including 
any personal information provided, will be posted generally without 
change to https://www.fdic.gov/regulations/laws/federal/.
    NCUA: You may submit comments to the NCUA, Docket No. NCUA-2021-
0007, by any of the methods set forth below. Commenters are encouraged 
to submit comments through the Federal eRulemaking Portal, if possible. 
Please use the title ``Request for Information and Comment: Extent to 
Which Model Risk Management Principles Support Compliance with Bank 
Secrecy Act/Anti-Money Laundering and Office of Foreign Assets Control 
Requirements'' to facilitate the organization and distribution of the 
comments. (Please send comments by one method only):
     Federal eRulemaking Portal-- www.regulations.gov. Follow 
the instructions for submitting comments.
     Fax: (703) 518-6319.
     Mail: Address to Melane Conyers-Ausbrooks, Secretary of 
the Board, National Credit Union Administration, 1775 Duke Street, 
Alexandria, VA 22314-3428.
    In general, the NCUA will enter all comments received into the 
docket and publish the comments on the Regulations.gov website without 
change, including any business or personal information that you provide 
such as name and address information, email addresses, or phone 
numbers. Comments received, including attachments and other supporting 
materials, are part of the public record and subject to public 
disclosure. Do not include any information in your comment or 
supporting materials that you consider confidential or inappropriate 
for public disclosure.
    You may review comments and other related materials that pertain to 
this Request for Information and comment by any of the following 
methods:
     Viewing Comments Electronically: You may view all public 
comments on the Federal eRulemaking Portal at http://www.regulations.gov as submitted, except for those NCUA cannot post for 
technical reasons.
     Due to social distancing measures in effect, the usual 
opportunity to inspect paper copies of comments in the NCUA's law 
library is not currently available. After social distancing measures 
are relaxed, visitors may make an appointment to review paper copies by 
calling (703) 518-6540 or emailing [email protected].
    FinCEN: Comments may be submitted by any of the following methods:
     Federal E-rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments. Refer to Docket Number 
FINCEN-2021-0004.
     Mail: Policy Division, Financial Crimes Enforcement 
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2021-0004.
    Please submit comments by one method only. Comments submitted in 
response to this Request for Information and Comment will become a 
matter of public record. Therefore, you should submit only information 
that you wish to make publicly available.

FOR FURTHER INFORMATION CONTACT:
    OCC: James Vivenzio, BSA/AML Policy Director, (202) 649-5470; Jina 
Cheon, Counsel; or Henry Barkhausen, Counsel, Chief Counsel's Office, 
(202) 649-5490, Office of the Comptroller of the Currency, 400 7th 
Street SW, Washington, DC 20219
    Board: Suzanne Williams, Deputy Associate Director, Specialized 
Policy; Koko Ives, Manager, BSA/AML Risk, (202) 973-6163; Lee Davis, 
Lead Financial Institution Policy Analyst, (202) 912-4350, Division of 
Supervision and Regulation; Jason Gonzalez, Assistant General Counsel, 
(202) 452-3275; Bernard Kim, Senior Counsel, (202) 452-3083, Legal 
Division, Board of Governors of the Federal Reserve System, 20th and C 
Streets NW, Washington, DC 20551.
    FDIC: Lisa Arquette, Associate Director, (202) 898-3673, 
[email protected], Division of Risk Management Supervision; Jennifer 
Maree, Counsel, (202) 898-6543, [email protected], Legal Division.
    NCUA: Timothy Segerson, Deputy Director; Andrew Bludorn, Bank 
Secrecy Act Officer, Office of Examination & Insurance, or Ian Marenna, 
Associate General Counsel; Chrisanthy Loizos, Senior Trial Attorney, 
Office of General Counsel, at 1775 Duke Street, Alexandria, VA 22314 or 
telephone: (703) 518-6300 or (703) 518-6540.
    FinCEN: The FinCEN Regulatory Support Section at 1-800-767-2825 or 
electronically at [email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    The sound risk management principles discussed in the MRMG \2\ are 
important considerations for the development and management of systems 
used by banks \3\ to assist in complying with the requirements of the 
BSA/AML laws and regulations. Whether a bank characterizes a BSA/AML 
system \4\ (or portions of that system) as a model, a tool, or an 
application, risk management of these systems should be consistent with 
safety and soundness principles,\5\ and the system should promote 
compliance with applicable laws and regulations. The MRMG is premised 
upon sound risk management and governance principles, several of which 
are referenced in that guidance, such as adequate governance, 
development, documentation, testing, performance monitoring, 
validation, and effective challenge.
---------------------------------------------------------------------------

    \2\ Refer to the ``Supervisory Guidance on Model Risk 
Management,'' Federal Reserve Supervision and Regulation Letter 11-
7, https://www.federalreserve.gov/supervisionreg/srletters/srletters.htm; OCC Bulletin 2011-12, https://www.occ.gov/news-issuances/bulletins/2011/bulletin-2011-12.html; and FDIC Financial 
Institution Letter-22-2017, https://www.fdic.gov/news/financial-institution-letters/2017/fil17022.html.
    \3\ The MRMG does not apply to credit unions, as it was not 
issued by the NCUA. As used in this Request for Information, 
however, the term ``bank'' includes each agent, agency, branch, or 
office within the United States of banks, credit unions, savings 
associations, and foreign banks as defined in Bank Secrecy Act 
regulations at 31 CFR 1010.100(d).
    \4\ In the BSA/AML context, the term ``system'' includes a 
bank's policies, procedures, or processes to identify, research and 
report unusual activity, typically known as suspicious activity 
monitoring and reporting systems, and are critical internal controls 
for ensuring an effective BSA/AML compliance program.
    \5\ Refer to the Interagency Guidelines Establishing Standards 
for Safety and Soundness, 12 CFR 208, Appendix D-1 (Federal 
Reserve); 12 CFR 364, Appendix A (FDIC); and 12 CFR 30, Appendix A 
(OCC).
---------------------------------------------------------------------------

    Stakeholders within the banking industry have questioned how the 
risk management principles described in the MRMG relate to systems or 
models used to comply with BSA/AML laws and regulations. The OCC, 
Board, and FDIC, in consultation with NCUA and FinCEN, are concurrently 
issuing a statement with this Request for Information (RFI) to clarify 
that

[[Page 18980]]

regardless of how a BSA/AML system is characterized, sound risk 
management is important, and banks may use the principles discussed in 
the MRMG to establish, implement, and maintain their risk management 
framework.
    In this RFI, the agencies seek comments and information from 
interested parties on the extent to which the principles discussed in 
the MRMG support compliance by banks with BSA/AML laws and regulations. 
This RFI also seeks feedback on the extent to which the MRMG principles 
support compliance by banks related to models and systems used in 
connection with OFAC requirements. The agencies seek this information 
to enhance their understanding of bank practices in these areas and 
determine whether additional explanation or clarification may increase 
transparency, effectiveness, or efficiency.

BSA Requirements

    The BSA \6\ is intended to safeguard the U.S. financial system and 
the financial institutions that make up that system from the abuses of 
financial crime, including money laundering, terrorist financing, and 
other illicit financial activity.
---------------------------------------------------------------------------

    \6\ 31 CFR 1010.100(e).
---------------------------------------------------------------------------

    FinCEN, a bureau of the U.S. Department of the Treasury, is the 
delegated administrator of the BSA. In this capacity, FinCEN issues 
regulations and interpretive guidance, provides outreach to regulated 
industries, supports examinations, and pursues civil enforcement 
actions when warranted. FinCEN relies on the Board, FDIC, NCUA and OCC 
(the ``federal banking agencies'') to examine banks \7\ within their 
respective jurisdictions for compliance with the BSA.
---------------------------------------------------------------------------

    \7\ The term ``bank'' is used here as in Bank Secrecy Act 
regulations at 31 CFR 1010.100(d).
---------------------------------------------------------------------------

    The federal banking agencies are responsible for the oversight of 
the various banking entities operating in the United States, including 
U.S. branches and agencies of foreign banks. The federal banking 
agencies' regulations require each bank under their supervision to 
establish and maintain a BSA compliance program, as does the BSA 
itself.\8\ At a minimum, the BSA/AML compliance program must include:
---------------------------------------------------------------------------

    \8\ 12 CFR 21.21 (OCC), 12 CFR 208.63, 12 CFR 211.5(m) and 12 
CFR 211.24(j) (Board); 12 CFR 326.8 (FDIC); 12 CFR 748.2(b) (NCUA). 
As set forth in 31 CFR 1020.210 (FinCEN), a bank regulated by one of 
the federal functional regulators is deemed to have satisfied 
FinCEN's AML program requirements if the bank develops and maintains 
a BSA compliance program that complies with the regulation of its 
federal functional regulator governing such programs.
---------------------------------------------------------------------------

     Internal controls to assure ongoing compliance;
     Independent testing for compliance;
     Designation of an individual or individuals, also referred 
to as the BSA/AML compliance officer(s), responsible for coordinating 
and monitoring day-to-day compliance; and
     Training for appropriate personnel.
    A bank also has requirements related to suspicious activity 
reporting,\9\ customer identification,\10\ customer due diligence, and 
beneficial ownership.\11\ BSA/AML systems are often used to assist the 
bank in meeting these requirements.
---------------------------------------------------------------------------

    \9\ 12 CFR 21.11 and 12 CFR 163.180(d) (OCC); 12 CFR 208.62, 12 
CFR 211.5(k), 12 CFR 211.24(f)), and 12 CFR 225.4(f) (Board); 12 CFR 
353 (FDIC); 12 CFR 748.1(c) (NCUA); and 31 CFR 1020.320 (FinCEN).
    \10\ 12 CFR 21.21(c)(2) (OCC); 12 CFR 208.63(b)(2), 211.5(m)(2), 
and 211.24(j)(2) (Board); 12 CFR 326.8(b)(2) (FDIC); 12 CFR 
748.2(b)(2) (NCUA); and 31 CFR 1020.220 (FinCEN).
    \11\ 31 CFR 1020.210(a)(2)(v) and 31 CFR 1010.230.
---------------------------------------------------------------------------

Office of Foreign Assets Control Requirements

    OFAC is an office of the U.S. Department of the Treasury that 
administers and enforces economic and trade sanctions based on U.S. 
foreign policy and national security goals against targeted foreign 
countries, terrorists, international narcotics traffickers, and those 
engaged in activities related to the proliferation of weapons of mass 
destruction. OFAC acts under the President's wartime and national 
emergency powers, as well as under authority granted by specific 
legislation, to impose controls on transactions and freeze assets under 
U.S. jurisdiction.
    All U.S. persons, including U.S. banks, bank holding companies, and 
nonbank subsidiaries, must comply with OFAC's regulations. OFAC-issued 
regulations apply not only to U.S. banks but also to their foreign 
branches and overseas offices and often to subsidiaries. OFAC 
encourages banks to take a risk-based approach to designing and 
implementing an OFAC compliance program.\12\ In general, the sanctions 
programs that OFAC administers require banks to do the following:
---------------------------------------------------------------------------

    \12\ Framework for OFAC Compliance Commitments. See, https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf.
---------------------------------------------------------------------------

     Block accounts and other property of specified countries, 
entities, and individuals.
     Prohibit or reject unlicensed trade and financial 
transactions with specified countries, entities, and individuals.
     Report blocked property and rejected transactions to OFAC.

Model Risk Management Guidance

    On April 4, 2011, the Board and the OCC issued guidance for banks 
subject to their supervision on effective model risk management (MRM). 
The FDIC subsequently adopted this guidance in 2017.
    Consistent with the federal banking agencies' support of safe and 
sound banking principles, the MRMG lays out principles for sound MRM in 
three key areas: (1) Model development, implementation, and use; (2) 
model validation; and (3) governance, policies, and controls. The 
guidance describes different MRM responsibilities for different parties 
within a bank, based on their roles, including those building the 
models, those independently reviewing the models, and those providing a 
governance framework for MRM.
    Concurrently with the publication of this RFI, the OCC, Board, and 
FDIC, in consultation with NCUA and FinCEN, have published an 
``Interagency Statement on Model Risk Management for Bank Systems 
Supporting Bank Secrecy Act/Anti-Money Laundering Compliance.'' The 
MRMG principles provide flexibility for banks in developing, 
implementing, and updating models. Banks may use some or all of the 
principles in their risk management processes to support meeting the 
regulatory requirements of an effective BSA/AML compliance program. The 
questions posed in this RFI complement the statement and the agencies 
ask commenters to consider the two documents in conjunction with each 
other.

II. Request for Information Overview

    This RFI seeks information and comment on any aspects of the 
relationship between BSA/AML and OFAC compliance and the principles 
conveyed in the MRMG, including how those principles may support 
compliance and any differences in perceptions regarding their 
application. This RFI also asks for responses to specific questions 
outlined below.

Suggested Topics for Commenters

    To allow the agencies to evaluate suggestions more effectively, the 
agencies request that, where possible, comments include:
     Specific discussion of any suggested changes to guidance 
or regulation, including, in as much detail as possible, the nature of 
the requested change and supporting data or other information on 
impacts, costs, and benefits.
     Specific identification of any aspects of the agencies' 
approach to

[[Page 18981]]

BSA/AML and OFAC compliance as it relates to MRMG that are working well 
and those that could be improved, including, in as much detail as 
possible, supporting data or other information on impacts, costs, and 
benefits.
    The following sections list areas of interest on which commenters 
may want to focus. This list is meant to assist in the formulation of 
comments and is not intended to restrict what may be addressed by the 
public. Commenters may also address matters related to BSA/AML or OFAC 
compliance and the principles conveyed in the MRMG that do not appear 
in the list below. The agencies request that, in addressing these 
questions, commenters identify issues in as much detail as possible and 
provide specific examples where appropriate. Commenters are requested 
to comment on some or all of the questions below and are encouraged to 
indicate in which area your comments are focused. The agencies request 
that commenters providing suggestions note their highest priorities, 
where possible, along with an explanation of how or why certain 
suggestions have been prioritized.
    The term ``BSA/AML and OFAC models'' is used in the questions below 
to describe BSA/AML or OFAC compliance systems that a bank considers 
models, so its interpretation could vary from bank to bank. When 
providing feedback, please note that the MRMG principles provide 
flexibility for banks in developing, implementing, and updating models. 
The extent and nature of model risk varies across models and banks, and 
a bank's risk management framework is most appropriately tailored when 
it is commensurate with the nature and materiality of the risk. The 
agencies are interested in gathering information about industry 
practices and welcome responses regarding individual banks, as well as 
common industry practices.
    1. What types of systems do banks employ to support BSA/AML and 
OFAC compliance that they consider models (e.g., automated account/
transaction monitoring, interdiction, customer risk rating/scoring)? 
What types of methodologies or technologies do these systems use (e.g., 
judgment-based, artificial intelligence or machine learning, or 
statistical methodologies or technologies)?
    2. To what extent are banks' BSA/AML and OFAC models subject to 
separate internal oversight for MRM in addition to the normal BSA/AML 
or OFAC compliance requirements? What additional procedures do banks 
have for BSA and OFAC models beyond BSA/AML or OFAC compliance 
requirements?
    3. To what extent do banks have policies and procedures, either 
specific to BSA/AML and OFAC models or applicable to models generally, 
governing the validation of BSA/AML and OFAC models, including, but not 
limited to, the validation frequency, minimum standards, and areas of 
coverage (i.e., which scenarios, thresholds, or components of the model 
to cover)?
    4. To what extent are the risk management principles discussed in 
the MRMG appropriate for BSA/AML and OFAC models? Please explain why 
certain principles may be more or less appropriate for bank operations 
of varying size and complexity? Are there other principles not 
discussed in the MRMG that would be appropriate for banks to consider?
    5. Some bankers have reported that banks' application of MRM to 
BSA/AML and OFAC models has resulted in substantial delays in 
implementing, updating, and improving systems. Please describe any 
factors that might create such delays, including specific examples.\13\
---------------------------------------------------------------------------

    \13\ The MRMG recognizes that banks assess different models in 
different ways: ``The nature of testing and analysis will depend on 
the type of model and will be judged by different criteria depending 
on the context.''
---------------------------------------------------------------------------

    6. Some bankers have reported that banks' application of MRM to 
BSA/AML and OFAC models has been an impediment to developing and 
implementing more innovative and effective approaches to BSA/AML and 
OFAC compliance. Do banks consider MRM relative to BSA/AML an 
impediment to innovation? If yes, please describe the factors that 
create the impediments, including specific examples.\14\
---------------------------------------------------------------------------

    \14\ In the MRMG, a key determinant of the extent of validation 
activities is ``materiality.'' Banks may choose to implement less 
material changes to models without revalidation.
---------------------------------------------------------------------------

    7. To what extent do banks' MRM frameworks include testing and 
validation processes that are more extensive than reviews conducted to 
meet the independent testing requirement of the BSA? Please explain.
    8. To what extent do banks use an outside party to perform 
validations of BSA/AML and OFAC compliance systems? Does the validation 
only include BSA/AML and OFAC models, as opposed to other types of 
models used by the banks? Why are outside parties used to perform 
validation? \15\
---------------------------------------------------------------------------

    \15\ The decision to use an outside party is entirely the bank's 
own, in accordance with the bank's third-party risk management and 
model risk management requirements.
---------------------------------------------------------------------------

    9. To what extent do banks employ internally developed BSA/AML or 
OFAC compliance systems, third-party systems, or both? What challenges 
arise with such systems considering the principles discussed in the 
MRMG? Are there challenges that are unique to any one of these systems?
    10. To what extent do banks' MRM frameworks apply to all models, 
including BSA/AML and OFAC models? Why or why not?
    11. Specific to suspicious activity monitoring systems, the 
agencies are gathering information about industry practices. The 
agencies welcome responses to the following, regarding individual bank 
and common industry practices.
    a. Suspicious activity monitoring system validation:
    i. To what extent do banks validate such systems before 
implementation?
    ii. Are banks able to implement changes without fully validating 
such systems? If so, please describe the circumstances.
    iii. How frequently do banks validate after implementation?
    iv. To what extent do banks validate after implementing changes to 
existing systems (e.g., new scenarios, threshold changes, or adding/
changing customer peers or segments)? Please describe the circumstances 
in which you think this would be appropriate.
    v. How do banks validate such systems?
    vi. What, if any, compensating controls do banks use if they have 
not had an opportunity to validate such systems?
    b. Suspicious activity monitoring system benchmarking: What, if 
any, external or internal data or models do banks use to compare their 
suspicious activity systems' inputs and outputs for purposes of 
benchmarking?
    c. Suspicious activity monitoring system back-testing: How do banks 
attempt to compare outcomes from suspicious activity systems with 
actual outcomes, given that law enforcement outcomes are often unknown?
    d. Suspicious activity monitoring system sensitivity analysis: How 
do banks check the impact of changes to inputs, assumptions, or other 
factors in their systems to ensure they fall within an expected range?
    12. To what extent do banks calibrate the scope and frequency of 
MRM testing and validation for BSA/AML and OFAC

[[Page 18982]]

models based on their materiality? How do they do so?

Blake J. Paulson,
Acting Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve 
System.
Ann Misback,
Secretary of the Board.
Federal Deposit Insurance Corporation.

    Dated at Washington, DC, on or about January 22, 2021.
Debra A. Decker,
Deputy Executive Secretary.
Melane Conyers-Ausbrooks,
Secretary of the Board, National Credit Union Administration.
AnnaLou Tirol,
Deputy Director, Financial Crimes Enforcement Network.
[FR Doc. 2021-07428 Filed 4-9-21; 8:45 am]
BILLING CODE 6210-01-P; 6705-01-P; 4810-33-P