Prudential Regulation Authority Rulebook

1.1

This Prudential Regulation Authority (PRA) supervisory statement (SS) sets out the PRA’s expectations for banks’^[1] model risk management (MRM). The PRA considers model risk as a risk in its own right.

1.2

This SS is relevant to all regulated United Kingdom (UK)-incorporated banks, building societies and PRA-designated investment firms with internal model approval to calculate regulatory capital requirements.^[2] The expectations in this SS do not apply to firms which do not have permission to use internal models to calculate regulatory capital and third-country firms operating in the UK through a branch. However, the PRA considers that those firms may find the proposed principles useful, and are welcome to consider them to manage model risk within their firm. Credit unions, insurers, and reinsurers are not in scope of the MRM expectations in this supervisory statement.

1.3

In the rest of this SS, ‘firms’ means UK banks, building societies and PRA-designated investment firms with internal model approval. The purpose of this SS is to support firms to strengthen their policies, procedures, and practices to identify, manage, and control the risks associated with the use of all models, developed in-house or externally, including vendor models,^[3] and models used for financial reporting purposes. The principles are designed to complement, not supersede, existing supervisory expectations that have been published for selected model types. Firms should continue to apply the supervisory expectations relevant to them and their particular models, including attestations and self-assessments where applicable.

1.4

The SS is structured around five high-level principles designed to cover all elements of the model lifecycle. The principles set out what the PRA considers to be the core disciplines necessary for a robust MRM framework to manage model risk effectively across all model and risk types. The PRA’s desired outcome is that firms take a strategic approach to MRM as a risk discipline in its own right.

1.5

The policy comes into effect on Friday 17 May 2024.

1.6

Before the policy comes into effect, firms are expected to conduct an initial self-assessment of their implemented MRM frameworks against these principles and, where relevant, to prepare remediation plans to address any identified shortcomings.

1.7

Self-assessments should be updated at least annually thereafter, and any remediation plans should be reviewed and updated on a regular basis. Both the findings from the self-assessment and remediation plans should be documented and shared with firms’ boards in a timely manner. Firms’ boards should be updated regularly on remediation progress.

1.8

The relevant SMF(s) accountable for overall MRM should be responsible for ensuring that remediation plans are put in place where necessary with clear ownership of any necessary actions. Firms are not expected to share the remediation plans or self-assessment routinely with the PRA, but should be able to provide them upon request.

1.9

Firms that first receive permission to use an internal model to calculate regulatory capital after the publication of this policy will have 12 months from the grant of that permission to comply with the expectations in this policy.