AI Model Risk Management: A Framework for Caribbean Financial Institutions

Model risk management is not new to Caribbean financial institutions. Credit scoring models, pricing actuarial models, and capital calculation models have been subject to validation requirements for years. What is new is the pace at which AI systems are being adopted in model-intensive roles, the opacity of those systems relative to traditional statistical models, and the growing expectation from regional supervisors that AI models will be governed to at least the same standard as conventional models. Most Caribbean financial institutions are not yet there.

What Model Risk Management Means in an AI Context

The foundational reference for model risk management in banking is the US Federal Reserve's Supervisory Guidance on Model Risk Management (SR 11-7), issued in 2011. While not binding in the Caribbean, it has been adopted as best practice by major international banks and has influenced supervisory expectations globally, including in CARICOM jurisdictions where regulators look to international standards for guidance.

SR 11-7 defines a model as a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories to process input data into quantitative estimates. AI systems used in credit risk, fraud detection, pricing, or customer segmentation fit this definition precisely. SR 11-7's three core requirements, sound model development, independent validation, and effective governance, apply to AI models with the same force as to any other quantitative model, and with additional complexity given the opacity and non-linearity of many AI approaches.

The Bank for International Settlements (BIS) published principles for the use of AI in credit risk assessment in 2023, reinforcing SR 11-7's framework and adding requirements specific to AI: transparency of AI model decision logic, governance of AI model changes, and explainability of AI outputs to supervisors and affected customers. Caribbean central banks that align their supervisory expectations to BIS principles, which the Bank of Jamaica and Eastern Caribbean Central Bank both reference in their supervisory frameworks, are therefore building supervisory expectations for AI model risk management into their oversight of regulated institutions.

The Three-Lines Model Applied to AI

Effective AI model risk management in a Caribbean financial institution uses the three-lines model, with specific AI-related responsibilities defined for each line.

The first line (business units and model users) owns the model. Business units that deploy AI models are responsible for defining the model's purpose, ensuring it is used within its validated scope, monitoring its performance in production, and escalating performance deterioration. A lending team that uses an AI credit scoring model is responsible for confirming that the model is being used as validated, that its scores are reviewed by credit officers rather than applied mechanically, and that any patterns suggesting model performance problems are reported to the risk function.

The second line (model risk and validation functions) provides independent oversight. In a Caribbean bank, this function typically sits within the risk or compliance team rather than as a standalone model risk unit, given staffing constraints. The second line's responsibilities include maintaining the model inventory, conducting or commissioning independent validation of AI models before deployment and at regular intervals, reviewing model performance monitoring reports from the first line, and reporting to the board risk committee on the aggregate AI model risk profile.

The third line (internal audit) provides periodic independent assurance. Internal audit should assess whether the model risk framework is operating as designed, whether model validations are being conducted and findings remediated, whether the model inventory is complete and current, and whether governance of AI model changes is functioning. In small Caribbean institutions without dedicated internal audit staff, this function may be provided by the external auditor or by a specialist third party, but it should not be omitted entirely.

AI Model Validation: What It Requires and What Caribbean Institutions Can Do

Model validation is the independent assessment of a model's conceptual soundness, data quality, performance, and limitations. For an AI model used in credit risk or fraud detection, validation should cover five areas.

Conceptual soundness means assessing whether the AI approach is appropriate for the problem it is solving. Is a machine learning model the right tool for this credit risk application, given the data available, the decision context, and the explainability requirements? Who developed the model and what were their qualifications and incentives? Does the model's logic make economic sense, or does it capture spurious statistical correlations that happened to appear in the training data?

Data quality and representativeness means assessing whether the training data was appropriate. Was it representative of the population the model will be applied to? Were data quality issues (missing values, outliers, errors) addressed before training? For Caribbean institutions using vendor AI models, this means requesting the vendor's data documentation and assessing whether Caribbean market characteristics are adequately represented.

Performance testing means measuring the model against quantitative benchmarks. For a credit scoring model, this typically includes measures of discriminatory power (how well does the model separate good from bad credits?) and calibration (how well do predicted default rates match actual default rates?). For a fraud detection model, it covers detection rates, false positive rates, and performance across customer segments.

Sensitivity analysis means testing how model outputs change when inputs change. AI models, particularly deep learning models, can be sensitive to small changes in inputs in ways that are not intuitive. A credit model that changes a loan decision based on minor variations in a transaction date, rather than on economically meaningful factors, is exhibiting a sensitivity that suggests a model limitation.

Limitation documentation means explicitly recording what the model cannot do, what conditions it was not designed for, and what types of inputs or scenarios might produce unreliable outputs. This documentation is the basis for defining the validated scope within which the first line is permitted to use the model.

For Caribbean institutions that do not have internal model validation expertise, external validation by a specialist firm is an acceptable alternative, provided the external validator is genuinely independent from the model developer and vendor. The cost of an external AI model validation for a mid-complexity Caribbean banking model ranges from USD 15,000 to USD 50,000, depending on model complexity and the depth of testing required. This cost should be weighed against the risk of deploying an unvalidated AI model in credit or fraud decisions.

Managing AI Model Changes: The Governance Gap Most Caribbean Banks Have

AI models are not static. Vendors retrain models on new data, update algorithmic approaches, and modify feature sets in response to changing fraud patterns, credit market conditions, or regulatory requirements. Each material change to an AI model potentially changes its risk profile, its performance characteristics, and its compliance status. Without a change management process, a Caribbean bank that validated its AI credit model in 2022 may be operating a materially different model in 2025 without being aware of the change.

The governance requirement is clear: any material change to an AI model should trigger a reassessment of whether the existing validation remains valid. The challenge is that vendor contracts for AI tools often do not require advance notification of model updates, and the definition of "material change" is rarely specified.

Caribbean institutions should address this through two mechanisms. In vendor contracts, require written notification of any model retraining, any change to the feature set, and any change to model performance benchmarks, with a minimum 30-day notice period before the change is applied to the institution's production environment. In internal governance, define what constitutes a material change to an AI model (for example: a change in the model architecture, a retraining on new data that constitutes more than 20% of the training dataset, or a change in output score ranges) and establish that material changes require completion of an abbreviated re-validation before the new model version is deployed.

Frequently Asked Questions

What is AI model risk management and why do Caribbean banks need it?

AI model risk management is the process of identifying, assessing, and controlling the risks that arise from using AI models in financial decisions. Caribbean banks need it because AI models used in credit scoring, fraud detection, and pricing can produce systematically wrong or unfair outputs, with financial and regulatory consequences. Supervisory bodies including the Bank of Jamaica and the Eastern Caribbean Central Bank expect regulated institutions to apply model risk management to AI tools with the same rigour as to conventional quantitative models.

What is SR 11-7 and does it apply to Caribbean financial institutions?

SR 11-7 is the US Federal Reserve's Supervisory Guidance on Model Risk Management, issued in 2011. It is not directly binding on Caribbean institutions but is widely adopted as the global standard for model risk management in banking. Caribbean regulators look to international standards when developing supervisory expectations, and Caribbean banks with US correspondent relationships may find that their correspondents expect SR 11-7-aligned model governance. Its three core requirements, sound development, independent validation, and effective governance, represent minimum best practice for any Caribbean bank using AI in credit or risk decisions.

How often should AI models in Caribbean banks be validated?

AI models in regulated decision roles should be validated before initial deployment and then at minimum annually. More frequent validation is appropriate after a material change to the model, after a change in the data environment (for example, a significant shift in the credit or fraud landscape), or when ongoing monitoring indicates model performance has deteriorated. Caribbean institutions should document their validation schedule in their model risk policy and ensure the schedule is adhered to as a formal governance obligation, not an ad-hoc exercise.

What is model drift and how does it affect Caribbean AI deployments?

Model drift occurs when the statistical relationship between inputs and outputs that an AI model learned during training changes over time, causing the model's predictions to become less accurate. For Caribbean credit scoring models, the COVID-19 pandemic created significant model drift, as consumer behaviour and default patterns changed in ways that models trained on pre-2020 data could not anticipate. For fraud detection models, typologies evolve continuously as fraudsters adapt. Caribbean institutions should monitor key performance metrics for their AI models monthly and define threshold values that trigger a formal re-validation review when breached.

How do Caribbean institutions handle AI model explainability for regulators?

Caribbean institutions should ensure they can provide two types of explanation for AI model outputs. A global explanation describes how the model works overall: what the main input features are, how they influence outputs, and what the model's performance benchmarks are. A local explanation describes why the model produced a specific output for a specific decision, sufficient for a credit officer to explain to a customer why their loan was declined, or for a compliance officer to explain to a regulator why a transaction was flagged. Vendors of AI tools used in regulated decisions should be contractually required to provide both types of explainability support.

Can Caribbean credit unions apply the same AI model risk framework as banks?

Yes, with proportionate implementation. A credit union with 5,000 members and one AI tool (typically an AI-assisted loan scoring system) does not need a formal model risk management unit. The proportionate equivalent is: a designated model owner (typically the credit manager), a documented validation conducted by the external auditor or a specialist third party before deployment, annual performance monitoring with a written report to the supervisory committee, and a vendor contract clause requiring notification of model changes. This framework is achievable within a credit union's existing governance structure and staffing.

What are the signs that an AI model is performing poorly in a Caribbean context?

Signs of AI model performance deterioration in a Caribbean context include: a significant increase in loan default rates above the model's predicted defaults, suggesting the credit model is too optimistic; a significant increase in fraud losses despite a high volume of fraud flags, suggesting the fraud model is missing real fraud while over-flagging false positives; customer complaints clustering around specific AI-assisted decision types; or a change in the demographic or segment profile of declined applications or fraud flags that cannot be explained by genuine changes in the application population. Any of these patterns should trigger a formal model performance review.

What should Caribbean banks put in AI vendor contracts to protect themselves from model risk?

AI vendor contracts should include: a right to receive technical documentation of the model, including its architecture, training data sources, and performance benchmarks; advance notification (at least 30 days) before any model retraining or material change; a performance warranty specifying minimum detection rate and maximum false positive rate; an obligation to provide explainability support for individual decisions on request; audit rights allowing the institution to have the model independently assessed; data residency and handling obligations; and a liability clause allocating responsibility for losses arising from model failure or inaccuracy. Generic SaaS contracts rarely include these provisions and must be negotiated.

Validation Before Deployment Is Not Optional

The pattern in Caribbean financial services AI adoption follows a recognisable sequence: a vendor demo impresses the credit or operations team, management approves the procurement, IT deploys the system, and the compliance team is consulted, if at all, after the deployment is live. This sequence needs to reverse. The compliance and risk review, including an initial model validation assessment, belongs before the deployment decision, not after it.

The institutions that build model risk governance into their AI procurement process will catch problems before they become operational incidents. Those that validate after deployment will discover model limitations through customer complaints, regulatory inquiries, or unexplained increases in credit losses. In a market where correspondent banking relationships depend on demonstrated AML and risk management competence, the cost of the second approach is measurably higher than the first.