Financial institutions routinely use models for a broad range of activities, including underwriting credits; valuing exposures, instruments, and positions; measuring risk; managing and safeguarding client assets; determining capital and reserve adequacy; and many other activities.
Given the increasing regularity with which financial institutions deploy models, it is important these institutions implement sound governance to address related model risk, including for potential pitfalls such as poorly developed models, lack of thorough documentation on models, business decisions based on flawed or misused models, etc.
In the event of an exposure, a financial institution stands to pay dearly – this could be in form of regulatory fines and possible damage to its reputation. Sometimes, accountable senior officers are equally hit by the regulator’s hammer.
Nothing draws above concerns home more than last week’s successive sanctions by the U.S. Securities & Exchange Commission (SEC). In this update, I review the SEC sanctions and discuss the imperative that financial institutions implement sound model risk management framework.
Last Monday, the SEC announced charges against four Transamerica entities – AEGON USA Investment Management LLC (AUIM), Transamerica Asset Management Inc. (TAM), Transamerica Financial Advisors Inc., and Transamerica Capital Inc.
According to the SEC, investors had put billions of dollars into mutual funds and strategies using faulty models developed by AUIM. Without admitting or denying the findings, the Transamerica entities agreed to settle the charges and pay nearly $53.3 million in disgorgement, $8 million in interest, and a $36.3 million penalty.
The SEC found the models, which were developed solely by an inexperienced, junior AUIM analyst, contained numerous errors, and did not work as intended. Worse still, when AUIM and TAM learned about the errors, according to the regulator, they stopped using the models without disclosing the errors to the investors.
AUIM Senior Officers were not Spared
In separate orders, the SEC found that AUIM’s former Global Chief Investment Officer (GCIO) and the former Director of New Initiatives (DNI) each were a cause of certain AUIM violations.
In particular, while reviewing the officers’ levels of culpability, the regulator noted:
i) the GCIO did not take reasonable steps to ensure the models worked as intended; and
ii) both the GCIO and the DNI contributed to AUIM’s compliance failings related to the development and use of the models.
Without admitting or denying the findings, the GCIO and the DNI agreed to settle the charges and pay, respectively, $65,000 and $25,000 in penalties that also will be distributed to affected investors.
Moody’s Investors Service Inc.
On August 28, the next day after Transamerica sanctions, the SEC assessed Moody’s Investors Service Inc. (Moody’s) penalties of $16.25 million.
The penalties followed charges of internal control failures involving models the credit rating agency used in rating U.S. residential mortgage-backed securities (RMBS), and for failing to clearly define and consistently apply credit rating symbols.
Marking first time the SEC ever filed an enforcement action involving rating symbol deficiencies, the regulator found that Moody’s failed to establish and document an effective internal control structure for models it outsourced from a corporate affiliate and used in rating RMBS from 2010 through 2013.
The SEC further found that Moody’s failed to maintain and enforce existing internal controls that should have been applied to the models. In 54 instances, according to the regulator, the credit rating agency failed to document its rationale for issuing final RMBS ratings that deviated materially from model-implied ratings.
Without admitting or denying the findings, Moody’s corrected more than 650 RMBS ratings with a notional value exceeding $49 billion due, in part, to errors in the models.
The Sanctions Point to only One Direction
Moody’s and the Transamerica entities could have done better in terms of maintaining strong governance and controls to help manage model risk. In this regard, below deficiencies stand out.
i) Poorly designed models
The Transamerica entities and Moody’s were found to have relied on faulty models. An organization must ensure to develop a model that is sound and fit for its intended purpose.
ii) Lack of thorough documentation
Moody’s was found to have failed to establish and document an effective internal control structure for the models it outsourced from another entity.
A company’s model risk management policy should require maintenance of detailed documentation of each model’s life cycle, an inventory of models in use, independent validation processes, etc.
iii) Ineffective controls for third party developed models
According to the regulator, Moody’s failed to establish and document an effective internal control structure for its outsourced models.
Adopting a third party developed model does not eliminate the requirement for an organization to subject the model to its internal process for vetting, approval, ongoing validation, decommissioning and overall documentation, as would be done for in-house developed models.
iv) Model developer(s) not having requisite knowledge, skills, and expertise
For the Transamerica entities, the regulator found that the investment models were developed solely by an inexperienced, junior analyst. It was not a surprise the models turned out as containing numerous errors, and also not working as intended.
A company’s policies must identify roles and assign responsibilities within the model risk management framework with clear detail on staff expertise. For instance, model developers and staff doing validation, like other stakeholders, must have the requisite knowledge, skills, and expertise.
v) Lack of oversight/independent validation
The SEC found that the GCIO did not take reasonable steps to ensure the AUIM models worked as intended. For Moody’s, the credit rating agency did not develop an effective process to ensure the accuracy of its outsourced models.
Oversight, including ensuring periodic model validation, is critical. A financial institution must design a program of ongoing testing and evaluation of model performance along with procedures for responding to any problems that appear. This program should include process verification and benchmarking.
Financial institutions must embrace sound model risk management governance, as doing otherwise may prove quite costly. Commenting on Moody’s sanctions, the SEC noted,“…despite being put on notice…it [Moody’s] did not develop an effective process to ensure the accuracy of the models it relied upon when rating residential mortgage-backed securities.” No institution would like to find itself in similar situation. As such, time to act is now!
*Olakunle Komolafe, financial sector law and policy expert, holds an LL.M. from Harvard Law School, United States of America and another LL.M. in Energy, Natural Resources and Environmental Law from the University of Calgary, Canada.