On December 21, 2022, the US Federal Housing Finance Agency (“FHFA”) issued Advisory Bulletin 2022-03 (“Advisory Bulletin” or “Guidance”) to provide the entities it regulates with supplemental guidance pertaining to model risk management.1 The Guidance supplements a 2013 advisory bulletin published by FHFA on the same topic. While this supplemental Guidance applies only to Fannie Mae, Freddie Mac, the Federal Home Loan Banks (“FHLBanks”), and the Office of Finance (collectively, the “regulated entities”),2 other entities may look to the FHFA’s Guidance to identify developing trends and best practices for managing model risk.

In this Legal Update, we highlight certain aspects of the Advisory Bulletin that are intended to address gaps in the FHFA’s existing guidance due to changes in model-related technologies in the mortgage industry.


In November 2013, the FHFA issued model risk management guidance articulating its supervisory expectations for model risk management and outlining the framework of baseline control and governance requirements.3 Since the issuance of that guidance, technology has evolved, and new issues have developed in the use of models and oversight of model risk, including the increasing adoption of cloud technology and artificial intelligence/machine learning techniques. The FHFA also notes that the FHLBanks’ use of models continues to increase, including both models developed internally as well as those developed externally by sophisticated vendors. Thus, the issuance of this supplemental Guidance is intended to build upon the 2013 advisory bulletin and provide a more comprehensive representation of the scope of supervisory expectations in this specific subset of operational risk management.


Model Risk Management Framework

As with previous model risk management guidance issued by the FHFA, the agency acknowledges that there may be differing degrees of risk depending on the size and complexity of the regulated entity.

The FHFA indicates that it has observed an increase in the adoption of certain technologies used in the mortgage industry since the issuance of the agency’s 2013 model risk management guidance. Many of these technologies, such as cloud servers, vendor models, and external data, reside externally to the regulated entities and are largely outside of the regulated entities’ control. As a result, the FHFA expects that regulated entities will take a “macro-prudential” view to determine their systemic dependencies and interconnections by mapping out external dependencies to significant internal systems. The Guidance instructs the regulated entities to take inventory of any key dependencies on externally sourced technologies and have senior management regularly update and review this inventory to present to the board of directors, as deemed appropriate.

Model Validation Program

Use of Third Parties – The Advisory Bulletin suggests that regulated entities can use third-party reviewers to complete independent model validations. However, according to this supplemental Guidance, a regulated entity’s model validation group remains accountable for the quality, recommendations, and opinions of any third-party reviewers. Accountability here will look like implementing model risk management policies and practices that align the vendor-completed specific standards for an independent validation with the specific standards included in FHFA’s 2013 guidance.

“Effective Challenge” – The supplemental Guidance states that model risk management policies should include acceptable practices for the “effective challenge” of models. In order for a practice to be deemed an “effective challenge,” parties that are independent and informed shall identify model limitations, evaluate assumptions, and recommend appropriate changes. The FHFA evaluates the efficacy of an effective challenge by assessing a combination of incentives, competence, and influence, which can require, for example, that regulated entities invest human capital resources in qualified personnel and ensure the distinct separation of the model challenge process from the model development process.

The supplemental Guidance indicates that senior levels of management should give those responsible for effective challenge processes explicit authority, support, and stature within the organization. This can be viewed as part of an organization’s risk culture and reflects the importance of structural risk controls.

End-User Computing Tools – When deciding if an end-user computing tool (“EUC”) or calculator should be classified as a model, and therefore be subject to the FHFA’s model risk management guidance, the supplemental Guidance indicates that the FHFA will look at the increased complexity of and reliance on EUCs and calculators to carry out critical financial operations. This increased reliance demonstrates an increased potential for risk. A regulated entity should therefore classify a significant or important EUC, calculator, or other data generating process as a model if it (1) feeds into or out of a model; (2) makes assumptions; and/or (3) incorporates thresholds or quantitative methodologies.

Under the supplemental Guidance, integrated EUCs, calculators, and processes should be treated as models subject to model validations and governance in accordance with the frequency and rigor outlined in the regulated entity’s model risk management policies and procedures, when applicable. This reflects a broader trend of comprehensively inventorying model-like processes within banking organizations, extending even to processes that are designed and operating in a manner that is less formal than typical modelling practices.

Model Control Framework

On-Top Adjustments – The FHFA is aware that regulated entities will periodically make on-top adjustments, at the component level or to the overall result of model outputs, in order to produce more accurate results. As a result of these adjustments, regulated entities are instructed to develop and document a clear and transparent process for determining (1) when on-top adjustments to models are needed; (2) how the adjustments will be applied; and (3) the length of time for having these adjustments in place before finding a permanent solution.

The supplemental Guidance indicates that the FHFA will not accept a qualitative assessment such as one indicating that model assumptions or on-top adjustments are “conservative.” This is because such an assessment does not provide sufficient support for a quantitative assumption or adjustment. Therefore, organizations should consider providing sufficient documentation to support significant modelling assumptions or on-top adjustments, whether they are “conservative” or not. Included in this documentation might be justification for the on-top adjustment, articulation of the effect of the adjustment, and a statement on how long it will be applied. These adjustments also should be subjected to effective challenge.

Lastly, the recurrent use of on-top adjustments by regulated entities requires effective management and oversight and can be an indicator of an insufficient model or process. The supplemental Guidance indicates that such continual use of these adjustments should trigger a proper review in order to determine if the use is recurrent or simply temporary. Importantly, if an adjustment is deemed to be recurrent, the model or forecast process may need to be updated. Further, when updating, a process should be put into place that incorporates full engagement and feedback from relevant parties in order to secure effective updates.

Model Assumptions – The incorporation of modelling assumptions should generally be implemented in a consistent manner. The FHFA will permit some inconsistency when certain circumstances arise where models and assumptions simply cannot be used consistently. According to the Advisory Bulletin, such an exception would be allowable when, for example, accounting rules prescribe a specific use and, as a result, regulated entities require a process to address that use and evaluate and assess the effect of the inconsistency. The FHFA notes that these occurrences of inconsistency need to be appropriately documented.


The FHFA’s supplemental Guidance helps to clarify and further outline supervisory expectations for regulated entities when using model-related technologies. Overall, the Advisory Bulletin suggests that close monitoring of internal model processes and controls will allow the regulated entities an opportunity to improve their practices and better manage risk. Importantly, this Guidance is limited to model risk, which is a specific subset of operational risk.

The supplemental Guidance represents a growing modernized approach to the increasingly sophisticated integration of burgeoning technology in the mortgage and banking industries. Although the Advisory Bulletin only applies specifically to the entities regulated by the FHFA, other participants in the mortgage and banking industries may be interested in incorporating its principles into their model risk management practices.

Additional Author  Brandon A. Dennis



1 FHFA, AB 2022-03: Supplemental Guidance to Advisory Bulletin 2013-07 - Model Risk Management Guidance (Dec. 21, 2022), https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Model-Risk-Management-Guidance.aspx.

2 The Advisory Bulletin acknowledges that the Office of Finance is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act (12 U.S.C. 4502(20)) but indicates that the term “regulated entities” as used in the Advisory Bulletin should be interpreted to include the Office of Finance.

3 FHFA, AB 2013-07: Model Risk Management Guidance (Nov. 20, 2013) https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2013-07-Model-Risk-Management-Guidance.aspx.