Regulatory Compliance

For our Fed remediation plan for Sanctions, Audit was key part of the remediation plan. We submitted a full Audit “TOM” including resource model, training, risk assessment, audit testing program, and senior mgmt. reporting. There was also a layered sign off for smaller vs. golden milestones, where Audit got involved to provide design assurance vs. operational effectiveness.

The ORX global reference taxonomy was developed based on 60+ risk taxonomies used by financial institutions around the globe is probably the best representation of peer practices and has been adopted, with tailoring for the specific organization, by many since the taxonomy was developed ~5 years ago.

Within the ORX global reference taxonomy, regulatory compliance is a separate L2 category within the NFR taxonomy, and is defined as “the failure to comply with any legal or regulatory obligations that are not captured through other Level 1 risks within the NFR taxonomy”, because the risk of non-compliance with specific legal or regulatory obligations is relevant to most Level 1 risks in the NFR taxonomy and therefore we wanted to avoid overlap with these risks

I would also like to learn more about this

For Canada specifically, please refer to the latest Draft Guideline E-23 on model risk management by OSFI (our banking and insurance regulator).

To capture the risk posed by AI, the Draft Guideline modernizes the definition of “model” in the original 2017 Guideline to explicitly include AI and machine learning methods. Basically the AI-based solutions are considered “models” and are subject to model risk management requirements. Detailed requirements can be found in the guideline