Model risk management (MRM) is the practice of identifying, measuring, and mitigating the potential dangers arising from using inaccurate or misused models. Think of it as building a fence around a powerful tool, ensuring its outputs are reliable and its use responsible.
MRM is crucial in various fields, especially finance, where decisions based on models around credit scores or market predictions can have significant financial impact. But the potential for error lurks everywhere – from faulty assumptions in a model’s design to biased or incorrect data or programming mistakes. MRM tackles these risks head-on by establishing clear frameworks for model development, validation, and usage.
AI/ML models have added more complexity for financial institutions (FIs). Regulators have now started to tackle AI/ML mode risk and have started to issue guidance. For example, for the first time since 2017, Canada’s Office of the Superintendent of Financial Institutions (OSFI) has issued an updated draft of Guideline E-23 Model Risk Management relating to enterprise-wide artificial intelligence (AI) model risk management.
The draft Guideline acknowledges that financial institutions are increasingly adopting modern artificial intelligence (AI) systems for decision-making. Per OSFI, “Increased model risks could expose organizations to financial loss from flawed decision making, operation losses, and/or reputational damage. As such, it’s important for organizations to mitigate their model risks by adopting robust model risk management practices and oversight, including adequate controls.”
WorkFusion has put extreme care and ongoing development into capabilities designed specifically for FIs to understand, manage and mitigate the risks in implementing and deploying our AI Digital Worker suite of products.
Avoiding a Black Box Model
The scope, complexity and evolution of AI systems have grown substantially in recent years. An AI system typically identifies data relationships and automatically generates predictive algorithms that exploit these relationships to deliver findings or outcomes. Often, the application of these algorithms is hidden from view. So, an FI’s users are left with “black box” models that deliver meaningful and actionable information that seems correct, but which they cannot fully explain. That leaves a gap when discussing the model with regulators as well as when striving to validate the model on an ongoing basis.
According to FDIC guidance, Supervisory Guidance on Model Risk Management, a model consists of three components:
- The information input component that delivers assumptions and data to the model
- The processing component that transforms inputs into estimates
- The reporting component that translates the estimates into useful business information.
“Models meeting this definition might be used for analyzing business strategies, informing business decisions, identifying and measuring risks… measuring compliance with internal limits, maintaining the formal control apparatus of the bank, or meeting financial or regulatory reporting requirements…”
Rightfully, many AI models are questioned regarding their validity. For that reason, it is vital that FIs leverage “explainable AI” to ensure that MRM with explainability remains constant.
WorkFusion delivers explainable AI in all our products. Each AI Digital Worker incorporates AI and ML in a “glass box” model which any financial institution’s compliance team can use, understand and explain. This leads to rapid acceptance of new AI-based solutions by FI senior management and model trust by the regulators who review an institution’s model risk.
Glass Box Model at a High Level
Consider a common financial compliance use case that thrives by applying AI and ML – automated transaction screening alert adjudication for sanctions.
Robust transaction screening for exposure to sanctioned entities, individuals, and jurisdictions is a regulatory expectation in the United States and many other countries. Screening occurs mainly on the Office of Foreign Assets Control (OFAC) set of sanctions lists but also often includes other external and internal-bank sanctions lists. Financial institutions and other organizations use “sanctions screening” or “watchlist filtering” technologies to compare inputs, including transactions, with items on a sanctions list. The output of those technologies are “alerts” and/or “hits.”
A bank uses an AI solution to automate transaction screening alert adjudication for sanctions. The AI solution, a Digital Worker from WorkFusion (product name Tara) facilitates a 70%+ reduction in the manual disposition of false positive hits on millions of transaction alerts each year. Tara helps the bank process payments quickly and compliantly by automating entity recognition and name-matching for people, addresses and organizations, comparing them against ‘her’ decision matrix to determine whether an alert is a false positive or not. This decision-making is driven by the creation of feature outputs from a machine learning ensemble model and a supporting rules-engine.
Per the FDIC’s supervisory guidance, the four AI/ML models employed in Tara’s sanction alert screening incorporate the three core model components of Inputs, Processing and Reporting – with full explanations, audit trails and reporting that address each component. To further optimize AI explainability and minimize model risk, Tara is put through intensive and continuous testing of the models that underpin all decisions.
Tara uses a multi-stage model testing methodology to ensure the final decisions, or outcomes, are accurate and robust. The following steps define the methodology:
Defining target metrics. For each ML model (I.e. Name matcher, Entity classifier, Decisioning, etc.), the target metric is defined in line with the business objectives. For example, the target metric could be “Precision” for a compliance team seeking to minimize errors.
Cross validation and model selection. After defining the training and testing of datasets, the training dataset is subdivided into folds wherein one of the splits within the fold is used for testing the models and the remainder of the splits are used for training. This process is repeated until all the folds are used for testing. The average of these cross-validation results is then used for model selection (I.e., algorithm selection) to reduce selection bias.
Testing on out-of-sample data and model tuning. FIs can only ensure implementation accuracy via thorough testing of the new technology. Testing occurs in a manner that is independent of existing rules/algorithms by replicating or re-executing the solution in a separate environment and following documented configuration settings and logic.
A population-representative test set is used for hyperparameter tuning of all models.
Model Effectiveness. Model effectiveness is typically measured through metrics and reporting. FIs should review the effectiveness of rules/algorithms in place by statistically assessing alerts. This will reveal any opportunities to improve efficiency by revising the thresholds, configuration settings and/or the rule’s logic.
Trends associated with changes in all metrics can be tracked over adjustable periods. In this way, alignment with MRM can remain constant and optimized. For compliance and monitoring purposes, Tara captures and saves, for each alert/hit, all decisions made throughout the automated business process as well as the rationale behind those decisions. Event logs for automation flow are also provided to the FI. Reports specific to Business Process Instances show information such as date of review, hit characteristics, scenario analysis, proposed commentary, decision logic, and model confidence score.
AI with Explainability
This use case demonstrates how an AI solution vendor can provide a financial institution with the means to modernize its regulatory compliance for maximum accuracy and efficiency – without running afoul of regulators. AI with explainability is the key, and responsible AI solution vendors should be able to provide the level of AI explainability that aligns with your organization’s MRM requirements.
To learn more about WorkFusion, please request a demo.