PRA SS1/23 was published in May 2023 alongside Policy Statement PS6/23, following Consultation Paper CP6/22 issued in June 2022. The Supervisory Statement took effect on 17 May 2024 and applies to UK banks, building societies and PRA-designated investment firms. The full text sits at bankofengland.co.uk/prudential-regulation/publication/2023/may/model-risk-management-principles-for-banks-ss, and the consultation lineage is on the same publications register.
SS1/23 is principles-based. The supervisory expectations are set out as five principles covering identification, governance, development, validation and monitoring with mitigants. UK banks now build to those expectations explicitly, rather than inferring the supervisor's view from bilateral dialogue or thematic findings. The principles establish the firm-wide model risk management baseline that the PRA will assess against.
SS1/23 does not single out AI, but the principles apply to AI and machine learning systems that meet the firm's model definition. The PRA was explicit in PS6/23 that the framework is technology-neutral. The practical effect is that material AI and machine learning systems sit inside the firm's MRM framework alongside traditional quantitative models, with the same documentation, validation and oversight expectations, proportionate to materiality.
A firm-wide model definition, a single inventory across the group, and a materiality tiering that drives effort. Coverage must include in-house, vendor and AI or machine learning models. The hard part is capturing embedded vendor models inside core banking, treasury and risk platforms that were never logged as models.
Board engagement on MRM, an executive owner accountable for the framework, an MRM policy, three-lines-of-defence design, and an annual MRM report to the board. The board, not a delegated committee, retains residual responsibility under PRA expectations, with SMCR accountability typically running through an SMF holder.
Conceptual soundness, documented methodology, data quality controls, code and change management, and explicit limitations communicated to model users. Use must be consistent with the documented intended purpose, and any use outside that scope requires fresh assessment under the same standards.
Validation independent of development, exercising effective challenge: senior validators, defined scope, conceptual review, outcomes analysis, sensitivity and stability testing, ongoing monitoring review, and findings tracked to remediation with severity ratings. Validation cycles are calibrated to model materiality, not run uniformly.
Compensating controls where model risk is elevated: overrides, conservative adjustments, post-model adjustments, monitoring triggers and risk-acceptance papers signed at the appropriate level. Mitigants are documented, time-bound and reviewed; they are not a substitute for fixing the underlying model deficiency.
SS1/23 is technology-neutral. A firm's model definition should capture material AI and machine learning systems, and the same five principles apply, with proportionate adaptation for evaluation, drift monitoring and explainability where the model class warrants it.
Supervisory authority for UK banks, building societies and PRA-designated investment firms. Owns SS1/23 and oversees model risk through the routine supervisory cycle, including periodic reviews and firm-specific letters.
Conduct supervisor that works alongside the PRA where conduct outcomes depend on model performance. Joint author with the Bank of England of Discussion Paper DP5/22 on AI in financial services.
Provides the macroprudential context for systemic implications of model risk across the UK banking system, including the use of AI in financial stability assessments.
SS1/23 was consulted as CP6/22 in June 2022, finalised as PS6/23 and SS1/23 in May 2023, and the supervisory expectations took effect on 17 May 2024. The 12-month implementation window was set by the PRA to give firms time to align inventories, governance and validation cycles. The publications register at bankofengland.co.uk holds the consultation responses and final policy text.
PRA supervision under SS1/23 runs through firms' routine model risk dialogue, not as a one-off thematic exercise. Firms can expect MRM evidence to feature in PRA periodic summary meetings and supervisory letters, with the annual MRM report acting as the focal artefact for board engagement and ongoing assurance.
The Bank of England and FCA's joint Discussion Paper DP5/22, published in October 2022, set the regulators' direction on AI: they intend to use existing rules, including SS1/23 for model risk, rather than introduce a single AI rulebook for financial services. UK firms should expect SS1/23 to do most of the work for AI in PRA-regulated activity, complemented by SMCR for accountability.
| Adjacent rule | How it interacts |
|---|---|
| SR 11-7 (US Federal Reserve and OCC) | SR 11-7 is the conceptual precursor to SS1/23. UK firms with US operations frequently align internal MRM frameworks to satisfy both. The documentation overlap is high; SS1/23 places slightly more weight on board engagement, materiality tiering and the annual MRM report as a discrete artefact. |
| EU AI Act (Regulation 2024/1689) | UK banks placing AI systems on the EU market, or producing outputs used in the EU, pick up AI Act obligations on top of SS1/23. Annex IV technical documentation and Article 9 risk management map cleanly into the SS1/23 artefact set, reducing duplicative effort if both are designed together. |
| Capital Requirements Regulation (CRR) Article 143 | IRB credit risk models retained under post-Brexit UK CRR continue to require Article 143-equivalent governance and validation. SS1/23 sets the firm-wide MRM frame within which IRB validation now sits, rather than displacing the IRB-specific expectations. |
| Senior Managers and Certification Regime (SMCR) | The executive owner for MRM under Principle 2 will typically be an SMF holder, with the responsibility reflected in their Statement of Responsibilities. SS1/23 explicitly leverages SMCR accountability to drive board and executive engagement on model risk. |
| DORA (EU Digital Operational Resilience Act, 2022/2554) | For UK groups with EU branches or subsidiaries, DORA ICT risk and third-party management obligations overlap SS1/23 expectations on vendor model governance and inventory. The two regimes are complementary rather than duplicative and are best operated through a single control set. |
“The shortest path to SS1/23 readiness is not to rebuild your MRM framework from scratch. It is to map your existing artefacts to the five principles, name the gaps honestly, and remediate the ones that matter.”
17 May 2024. The Supervisory Statement was published in May 2023 alongside Policy Statement PS6/23, giving firms a 12-month implementation window.
Yes where they meet the firm's model definition. SS1/23 is technology-neutral, and material AI and machine learning systems sit inside the MRM framework alongside traditional quantitative models.
SS1/23 is principles-based and emphasises board engagement, materiality tiering and the annual MRM report. SR 11-7 is more prescriptive on the validation cycle. The substantive overlap is high and most UK firms run a single framework that satisfies both.
Principle 2 expects board engagement on MRM, with residual responsibility retained at board level. The executive owner is typically an SMF holder under SMCR, with the responsibility reflected in their Statement of Responsibilities.
8 to 16 weeks to a production-ready set of MRM artefacts mapped to all five principles, including the annual MRM report template and a portable audit pack.
PRA SS1/23 was published in May 2023 and took effect on 17 May 2024, applying to UK banks, building societies and PRA-designated investment firms. It sets five principles: identification and inventory, governance, development, independent validation, and monitoring with risk mitigants. The framework is technology-neutral, so material AI and machine learning systems sit inside the MRM framework. The PRA supervises through the routine cycle and the annual MRM report is the focal artefact. UK firms can map existing evidence to the principles and remediate gaps rather than rebuild.