Eight years have passed since the careless use of a single model nearly killed Wall Street. The Gaussian copula, which was used indiscriminately to capture the underlying dependence structure of trillions of dollars of securitised products, led to one of the grimmest episodes in the history of finance. In a single stark example, it proved to the industry just how bad model risk can be.
Previously, the issue of model risk didn't command much attention. Banks would have a handful of validators signing off on individual models, traders were often endowed with control over the models they used and discussions about model risk were typically not escalated to the board.
But times have changed, thanks largely to guidance issued by the US Federal Reserve Board and Office of the Comptroller of the Currency in 2011. Their Supervisory guidance on model risk management is commonly known as SR 11-7.
The US guidance lays down a definition of a model – one some dealers consider to be so broad that even tools such as Excel spreadsheets used for rating customers could be caught by it. Among other things, it requires banks to separate model use and development from validation, set up a consolidated firm-wide model risk function, maintain an inventory of all models, and fully document their design and use.
The result is that model risk management teams have grown tenfold and the number of validations some banks are carrying out has tripled. Prior to SR 11-7, large banks would have had to validate up to 100 models a year. Now, this figure is closer to 300. More fundamentally, power over models has been snatched away from traders and some worry that modelling innovations face too many bureaucratic obstacles.
The motivation behind the US guidance is clear: banks were reckless with their use of models, and that sort of culture can no longer fly. However, they are left scrambling for resources. The rules have placed severe strain on banks' model risk management teams, some of which say they are now having difficulty recruiting the right staff.
This situation is likely to worsen once more non-US banks begin following the guidance. At the moment, guidance similar to SR 11-7 doesn't exist outside the US. But some European supervisors, such as the UK's Prudential Regulation Authority and Switzerland's Finma, are pressing their banks to align with it. This is seen as the beginning of a broader shift. If non-US regulators increasingly apply the US approach and require banks to up their model risk management efforts, resources might become even scarcer.
Moreover, no regulatory compliance story is complete without banks trying to find loopholes to beat the rules – in this case, trying to sneak models past the tighter governance regime by claiming they are, in fact, something else. That means defining models in such a way that they do not have to be validated, or creating ‘super models' that generate other models, but only putting one single model through validation.
If the supervision of other risks – such as market and credit risk – has taught us anything, it is that there is a long way to go before both regulators and banks learn how to manage a risk appropriately, and model risk is no exception. SR 11-7 takes that essential first step, although at the cost of putting a strain on banks' resources. But at least it is a reasonably good start to taking care of an eight-year-old problem.