cash chip


Model risk management at fintech organizations

Guidance for special purpose charter applicants

Considering applying for the Office of the Comptroller of the Currency (OCC) special purpose charter? Start formalizing your model risk management (MRM) framework. Discover key insights and best practices for fintechs as they take on this challenge.

Fintech special purpose charter applicants

In July 2018, the US Treasury Department issued a report1signaling a new regulatory approach for nonbank financial technology ("fintech") organizations.

Simultaneously, the Office of the Comptroller of the Currency (OCC) announced2 that it is accepting special purpose charter applications for fintechs considering an entry into the banking environment. Fintechs may also apply for a full-service FDIC-insured bank charter.

Fintechs are typically driven by alternative data and modeling technologies, including predictive underwriting engines, credit risk management models, anti-money laundering/anti-fraud controls, and fair-lending compliance tools. It is reasonable to expect that the OCC will extend its existing banking supervision guidance related to Model Risk Management (MRM), in OCC 2011-12, to fintech charter holders, because the charter states that supervision will be based on risk and complexity, and the OCC recognizes the inherent risks of modeling.

Fintechs applying for a charter will need to prepare a detailed business plan, including a risk assessment and discussion of planned risk management systems and controls. The OCC will evaluate the plans and examine the risk management systems and controls prior to granting final approval. As such, fintechs considering a bank charter will need to design and implement their MRM frameworks. While there may be some existing MRM practices, formalizing the program to the degree of the OCC’s expectations may represent a significant effort.

"Model risk" is the risk of financial loss, erroneous financial statements, improper managerial decisions, or damaged reputation, resulting from poorly built, used, or controlled models.

MRM is the branch of risk management that addresses these concerns. It is a structured approach that defines roles, responsibilities, policies, procedures, and controls to mitigate the potential adverse impact of the model-use environment.

As illustrated to the below, an organization’s MRM framework integrates these roles and activities.

Illustrative MRM framework

Governance, oversight, and the MRM operating environment

Governance and oversight

Regulators expect supervised organizations to manage model risk through active ownership by the senior-most levels of the organization.

While MRM is a shared responsibility by stakeholders throughout the organization, a dedicated functional area can serve as the centralized linchpin between senior management’s oversight and the day-to-day mandate of MRM policies and procedures.

For fintechs, the risk function and chief risk officer (CRO), may be in the best position to play this role. However, depending on organizational structure, the chief operating officer (COO) or chief information officer (CIO) channels could also effectively drive MRM.

The OCC expects national banks to have expertise, financial acumen, and a risk management framework that includes the three lines of defense3. For example, Internal Audit plays a special role in the MRM framework by ensuring that a comprehensive MRM program has been designed and implemented effectively, and that segregation of MRM responsibilities exist, where applicable.  

MRM operating environment

There are several basic pillars of the MRM operating environment that fintechs need to consider when establishing their MRM frameworks:

  • Model definition: While the OCC guidance offers a definition of “model,” fintechs need to determine if and how that definition should be tailored to reflect the nature of its model-use environment.
  • Inventory and risk rating: Fintechs rely on many models to drive their business. Potential model types include but are not limited to underwriting, credit risk, suspicious activity monitoring for anti-money laundering, sanction screening, anti-fraud, consumer-lending compliance, accounting, marketing, tax, capital, liquidity risk, and many other model types. Maintaining a complete and accurate catalog, risk-rated on qualitative and quantitative factors, is at the heart of a sound MRM framework.
  • Policies and procedures: Detailed guidance that governs the standardized roles, responsibilities, and activities for each stage of the model life cycle; drives cadence; and provides consistency in facilitating MRM. These protocols should be tailored to the fintech's risk appetite and the degree of reliance on model-enabled processes and decisions.

As illustrated above, there are other elements of the operating environment that are designed to improve the sophistication and effectiveness of the MRM framework.

city currency

Development and implementation

A sound MRM framework includes defined activities for model development and implementation. This includes procedures for designing and testing the model’s underpinning theory, performance, and related inputs and assumptions, as well as documenting these considerations in a uniform manner.

Fintechs may internally develop or purchase models from a vendor. Therefore, well-defined procedures should indicate the due diligence activities expected for both scenarios.


Model validation is among the most critical activities in the MRM framework. In this stage of the model life cycle, an individual, other than the model developer, periodically performs a series of checks and analyses to confirm that the developer adhered to the internal development standards, as well as to determine the model’s continued fitness for use.

The nature, timing, and extent of validation activities are determined by the risk-rating methodology. (See the "MRM operating environment" section above.)

Use and ongoing monitoring

Continued monitoring of model performance by model owners (developers and/or users) can help identify potential model calibration and/or use issues in between scheduled model validations.

Fintech MRM framework considerations

The MRM framework will be different for each fintech.

The level of effort and related cost, as well as the degree of regulatory focus, will depend on the riskiness of the fintech's models and model-use environment. For example, many models that risk discriminate borrowers unable to secure lending at banks have not been tested during an economic downturn and, as such, may draw regulatory scrutiny from the OCC.

The OCC recognizes that models provide fintechs with a competitive edge, whereby balance sheet capital management of capital is enhanced with better loan loss forecasting. To this end, the regulators will likely use the extension of OCC 2011-12 to promote financial market safety and soundness, consistent with charter intent. For example, given the regulatory focus on protecting consumers by preventing geographic and/or race-based lending discrimination by lending models or algorithms, regulators will particularly be focusing on the soundness of fintech MRM frameworks.

This regulatory guidance serves as a mechanism for supporting internal and external fintech stakeholder interests. For example, the rich information generated through MRM can drive meaningful risk management activities to support overall portfolio management, such as determining which market segments to target. It also generates critical data that informs board members to make decisions, helps regulators to evaluate the safety and soundness of the organization, and positions fintechs for equity analysts and ratings agencies to evaluate individual and peer performance when making rating decisions.

As fintechs contemplate applying for a charter, it will be important for them to begin assessing their model-use environment and susceptibility to model risk. The design and implementation of a tailored MRM framework can help fintechs navigate and manage critical risks and avoid disruption by preparing for anticipated regulatory scrutiny. Now is the time for fintechs considering a bank charter to begin formalizing their MRM framework.

currency paper weight

How Deloitte can help

With 300+ professionals in our MRM practice, we have helped organizations of all sizes, design, implement, and execute their MRM programs.

Our team includes former regulators, academics, industry modeling specialists, data scientists, programmers, and risk professionals.

Let's talk

Clifford Goss, Ph.D
Deloitte & Touche LLP


Peter Reynolds
Managing Director
Deloitte & Touche LLP

Alexey Surkov
Deloitte & Touche LLP


Gina Primeaux
Deloitte & Touche LLP

Chris Spoth
Executive Director,
Center of Regulatory
Strategy Americas
Managing Director
Deloitte & Touche LLP


John Graetz
Deloitte & Touche LLP

David Wright
Managing Director
Deloitte & Touche LLP


Richard Rosenthal
Senior Manager
Deloitte & Touche LLP

chat box


1 US Department of the Treasury, “Treasury Releases Report on Nonbank Financials, Fintech, and Innovation” (July 31, 2018)

2 Office of the Comptroller of the Currency (OCC), “OCC Begins Accepting National Bank Charter Applications From Financial Technology Companies” (July 31, 2018)

3 It is typical for organizations to allocate MRM roles and responsibilities into 3 lines of defense (LOD), whereby the 1st LOD is represented by the model developer or model user; the 2nd LOD is represented by someone other than the model developer or model user (often within the Risk function); and the 3rd LOD is represented by Internal Audit.

Did you find this useful?