12 CFR § 1240.203 - Requirements for managing market risk.
(a) Management of covered positions—(1) Active management. An Enterprise must have clearly defined policies and procedures for actively managing all covered positions. At a minimum, these policies and procedures must require:
(i) Marking covered positions to market or to model on a daily basis;
(iii) Establishment and daily monitoring of limits on covered positions by a risk control unit independent of the business unit;
(iv) Routine monitoring by senior management of information described in paragraphs (a)(1)(i) through (iii) of this section;
(v) At least annual reassessment of established limits on positions by senior management; and
(vi) At least annual assessments by qualified personnel of the quality of market inputs to the valuation process, the soundness of key assumptions, the reliability of parameter estimation in pricing models, and the stability and accuracy of model calibration under alternative market scenarios.
(2) Valuation of covered positions. The Enterprise must have a process for prudent valuation of its covered positions that includes policies and procedures on the valuation of positions, marking positions to market or to model, independent price verification, and valuation adjustments or reserves. The valuation process must consider, as appropriate, unearned credit spreads, close-out costs, early termination costs, investing and funding costs, liquidity, and model risk.
(b) Requirements for internal models.
(1) A risk control unit independent of the business unit must approve any internal model to calculate its risk-based capital requirement under this subpart.
(iii) The Enterprise makes any material change to its modeling assumptions.
(3) FHFA may determine an appropriate capital requirement for the covered positions to which a model would apply, if FHFA determines that the model no longer complies with this subpart or fails to reflect accurately the risks of the Enterprise's covered positions.
(4) The Enterprise must periodically, but no less frequently than annually, review its internal models in light of developments in financial markets and modeling technologies, and enhance those models as appropriate to ensure that they continue to meet the Enterprise's standards for model approval and employ risk measurement methodologies that are most appropriate for the Enterprise's covered positions.
(5) The Enterprise must incorporate its internal models into its risk management process and integrate the internal models used for calculating its market risk measure into its daily risk management process.
(6) The level of sophistication of an Enterprise's internal models must be commensurate with the complexity and amount of its covered positions. An Enterprise's internal models may use any of the generally accepted approaches, including variance-covariance models, historical simulations, or Monte Carlo simulations, to measure market risk.
(7) The Enterprise's internal models must properly measure all the material risks in the covered positions to which they are applied.
(9) The Enterprise must have a rigorous and well-defined process for re-estimating, re-evaluating, and updating its internal models to ensure continued applicability and relevance.
(c) Control, oversight, and validation mechanisms.
(1) The Enterprise must have a risk control unit that reports directly to senior management and is independent from the business units.
(2) The Enterprise must validate its internal models initially and on an ongoing basis. The Enterprise's validation process must be independent of the internal models' development, implementation, and operation, or the validation process must be subjected to an independent review of its adequacy and effectiveness. Validation must include:
(i) An evaluation of the conceptual soundness of (including developmental evidence supporting) the internal models;
(ii) An ongoing monitoring process that includes verification of processes and the comparison of the Enterprise's model outputs with relevant internal and external data sources or estimation techniques; and
(iii) An outcomes analysis process that includes backtesting.
(3) The Enterprise must stress test the market risk of its covered positions at a frequency appropriate to each portfolio, and in no case less frequently than quarterly. The stress tests must take into account concentration risk (including concentrations in single issuers, industries, sectors, or markets), illiquidity under stressed market conditions, and risks arising from the Enterprise's trading activities that may not be adequately captured in its internal models.
(4) The Enterprise must have an internal audit function independent of business-line management that at least annually assesses the effectiveness of the controls supporting the Enterprise's market risk measurement systems, including the activities of the business units and independent risk control unit, compliance with policies and procedures, and calculation of the Enterprise's measures for spread risk under this subpart. At least annually, the internal audit function must report its findings to the Enterprise's board of directors (or a committee thereof).
(e) Documentation. The Enterprise must adequately document all material aspects of its internal models, management and valuation of covered positions, control, oversight, validation and review processes and results, and internal assessment of capital adequacy.