CECL Model Risk & Compliance

What is CECL?

Current expected credit loss, or the CECL framework, is a method of accounting for credit losses. CECL standards help organizations better time the recognition of credit losses through using expected (instead of incurred) loss models.

In terms of scope, CECL applies to banks, credit unions, or any firm or financial institution issuing credit under generally accepted accounting principles (US GAAP). The CECL accounting standard is designed with flexibly in mind to account for the broad range of org sizes. Implementation can range from Excel spreadsheets to dedicated IT systems (databases, applications, etc.), depending on the size of the org.

EUC-based Credit Loss Models

Credit loss models play a big role in determining allowance for credit losses (ACL). Models are often built and maintained in Excel spreadsheets or other end user computing (EUC) applications.

EUCs are flexible, powerful tools that allow end users to create purpose-built applications and models. Furthermore, they don’t require any IT resources, allowing users to develop a concept quickly into a full production asset. It’s no wonder EUC programs like Microsoft Excel are ubiquitous in most organizations.

However, EUCs have inherent risk due to the lack of oversight and are inescapable from human error. Coupled with their widespread use, many organizations fail to identify and manage the risk before it’s too late. EUC-based credit loss models are no exception. Model risk can lead to many negative consequences.

CECL Risk & Related Regulatory Standards

Weaknesses in CECL compliance can results in a matter requiring attention (MRA), material misstatements, and other corrective actions.

This risk is compounded by being closely intertwined with other regulatory and reporting standards. For CECL, that includes models being employed by stress testing functions (DFAST) and regulatory reporting requirements, like Sarbanes- Oxley (SOX). As discussed earlier, the heavy use of models also means there is model risk that must be managed (SR 11-7).

Focusing back on CECL, one regulator, the OCC, defines eight risk categories. Three of these categories are more relevant to EUCs used in the ACL process. Failing to manage the operational, compliance, and reputational risks of EUC-based models will have a larger impact on the institution.

Operational Risk

Operational risk stems from poor internal systems/ procedures, accidental or malicious errors, or detrimental outside events. Operational risk can result in financial misstatements and errors in regulatory reporting. Spreadsheet-based models, specifically, are notorious for human errors that have resulted in billions of dollars in losses.

To manage operational risk, it’s important to have sound audit and governance functions, including effective collaboration between the two. Additionally, EUCs should have controls around application access, data integrity, and availability centered around model risk management (MRM).

Compliance Risk

Compliance risk comes from not following laws, regulations, internal policies, and so on. Failing to address compliance risk can result in fines, civil money penalties, or other enforcement actions.

Reputational Risk

Reputational risk arises from negative public opinion of the organization. Adverse trends in ACL or enforcement actions can impact the org’s reputation and the market’s perception of the institution.

CECL Compliance

For EUCs that support ACL processes, regulators look at three key areas:

• Policies & procedures
• Loss estimation models
• Documentation & controls

CECL Policies & Procedures

The goal of CECL policies and procedures should be to reasonably estimate expected credit losses. Policies and procedures related to EUCs should include:

• Definition of roles and responsibilities of those involved in ACL processes
• Supporting systems and documentation for regulatory and financial reporting
• Validation and independent review of loss estimation processes
• Internal controls used to ensure ACL processes comply with GAAP and safety and soundness standards (12 CFR Part 30, etc.)

Loss Estimation Models

Loss estimation models must be thoroughly evaluated before being put into production. The models’ resulting loss estimates must also comply with GAAP and regulatory requirements, such as SR 11-7.

Models have inherent risk which cannot be eliminated, such as incorrect or misused model outputs. This is amplified if the model is spreadsheet/ EUC-based.

Organizations should have a comprehensive MRM program that governs every aspect of model usage. While there is crossover with other governance functions, the MRM framework should address:

• Management oversight
• Policies & procedures
• Risk assessment
• Internal audit
• Model inventory documentation
• Data management

By implementing an effective MRM framework, orgs will be able to develop more accurate models and timely address any weaknesses.

Loss estimation models should also be validated. Model validation activities include:

• Assessing soundness
• Tracking performance
• Evaluating output(s)

There are often models used for multiple purposes within an org. In this case, regulators recommend a separate version to be specifically adjusted and validated for use in ACL loss estimation processes. For example, stress testing models, which have a different purpose and compliance requirements, may be used in the process. In this case, the stress testing model should be copied and adjusted to support the ACL estimation process under GAAP.

Documentation & Controls

Every aspect of the organization’s CECL framework should be well documented. This allows for greater transparency and context when reviewing the program. In the case of credit loss models, documentation examples include:

• Qualitative assessments used in estimating expected credits losses; often used to align modeled expectations with actual historical losses
• Model adjustments
• Model outputs

Furthermore, controls should be in place to ensure timely and accurate financial, operational, and regulatory reporting. For EUC-based models, controls should be in place for:

• Supporting data used in estimating expected credit losses
• Compliance with laws, regulations, and policies and procedures
• Financial and regulatory reporting

Data Integrity

The CECL framework recommends that the internal controls for data integrity be appropriate for the size and complexity of the organization. Furthermore, CECL expands the scope of what data can be used to estimate expected credit losses. If new data sources are used, appropriate internal controls must also be put in place.

Data integrity controls include:

• Completeness and accuracy of data
• Maintenance of EUCs used to support ACLs (e.g., spreadsheets, reports, etc.)
• Relevancy and reliability of data used within models
• Model metadata including key assumptions, specific calculations, etc.
• Password- protection and read-only functions
• Independent review of EUC/ model changes by an independent party (compliance/ governance or internal audit)
• Data backup/ recovery procedures

Audit

Documentation and control systems should be independently reviewed by internal and external auditors.

Internal Audit: MRM teams assess quantitative models, while internal audit will review those efforts against the org’s CECL policies. Internal audit will help optimize the efficiency and effectiveness of the org’s CECL controls. For EUC-based models, auditors will review:

• CECL governance and controls
• Model risk management
• Data relevance and reliability

External Audit: In terms of EUCs, external auditors will focus on Internal controls over financial reporting (IFRS), which include ACLs. It also includes Sarbanes-Oxley Act (SOX) requirements for publicly traded firms.

Next Steps

Learn how to create or enhance and existing EUC policy for CECL compliance with our Best Practice Guide. It provides best practices for establishing or enhancing an EUC policy for models and other applications that support ACL processes.