Mastering SS1/23 in the New Era of UK Model Risk

For years, Model Risk Management (MRM) was often tucked away in the back offices of banks, treated as a technical hurdle rather than a strategic priority. Those days ended on May 17, 2024, when the PRA’s Supervisory Statement 1/23 (SS1/23) came into force.

Now, in 2026, the grace period is over. The industry is witnessing a massive surge in activity as MRM teams move beyond simple self-assessments into full-scale operational implementation. The PRA is no longer asking if you have a policy; they are asking to see your evidence, your lineage, and your board-level accountability.

‍

This pressure was further intensified by the April 16, 2026 update, officially published under the LIAF01/26 (Low Impact Amendments Finalisation) policy framework, where the PRA tightened the requirements for senior management responsibility, integrated stress testing, and formalized the validation of third-party models.

What the PRA Actually Expects Now

The regulator's focus has sharpened into three non-negotiable areas:

• Total Inventory Visibility: It is no longer enough to track core Basel models. The PRA expects an "Enterprise Inventory" that captures everything from complex AI to the material Excel spreadsheets that drive business decisions.
• The Death of the Black Box: Principle 3 of SS1/23 demands "Conceptual Soundness." If a bank uses an AI model for credit scoring or fraud, they must be able to explain why it made a specific decision.
• Senior Management Liability: Under the Senior Managers and Certification Regime (SM&CR), there is now a "named person" whose career is on the line if the bank’s models fail due to poor governance.

‍

The LIAF01/26 Operational Shift: Moving Beyond Low Impact

While the PRA categorized the April 2026 update as "Low Impact Amendments," the practical reality for risk teams is highly consequential. The LIAF01/26 framework introduces critical refinements that firms must integrate immediately:

1. Stress-Testing Integration: The update formally aligns SS3/18 (Model risk management principles for stress testing) with the core SS1/23 framework. Stress-testing and ICAAP models are now subject to the exact same rigorous independent validation and challenge as primary capital models.
2. Streamlined Reporting, Stricter Accountability: While the update allows firms to merge stress-testing and general model risk into a single board-level report to reduce duplication, it enforces strict personal accountability. The designated Senior Management Function (SMF) holder must personally sign off on the defensibility of the entire model landscape.
3. The 12-Month Compliance Runway for New Models: LIAF01/26 clarifies that strict compliance with SS1/23 is not a pre-condition for the initial approval of a new internal model. Instead, banks are granted a 12-month window post-approval to bring the model fully in line with MRM expectations—offering a structured runway for innovation.

‍

What you in the MRM team are probably searching for right now

Because the stakes are now personal for bank executives, MRM teams have become the most demanding software buyers in the market. When they approach a vendor today, they aren't looking for a "feature list" but rather a Governance Ecosystem.

We are seeing a consistent pattern in the questions coming from Tier-1 banks. You are likely searching for:

• Workflow Automation: Can the tool handle a model’s entire life from initiation to decommissioning, including parallel development and validation?
• Live Connectivity: Can the system link to live data such as RWA or customer volumes to provide a real-time view of model materiality?
• AI Guardrails: As banks rush to adopt Generative AI, they need tools that can automatically detect drift and bias before the regulator does.

‍

How Yields Answers the Call: A Blueprint for Compliance

At Yields, our response to this pressure isn't just to provide a repository, but to provide a "Single Source of Truth" that aligns exactly with the principles of SS1/23.

1. The Multi-Tiered Enterprise Inventory

The PRA wants to see relationships between model versions, lineages, and Post-Model Adjustments (PMAs). Our solution uses a flexible data model that allows traditional and AI models to coexist. It captures the "rich metadata" the PRA craves, including model limitations, assumptions, and operating boundaries, all stored in relational tables for easy interrogation.

2. Native Model Agnosticism

A common fear among banks is that a vendor tool will restrict their quants. We have built our platform to be model agnostic. Whether your team is using traditional predictive stats or the latest Predictive, Generative, or Agentic AI approaches, the system supports both without restriction. This ensures that innovation does not have to be sacrificed for compliance.

3. Automated Monitoring and "Self-Healing" Documentation

One of the biggest burdens of SS1/23 is the sheer volume of documentation. Our platform leverages automated pipelines to execute data analysis scripts and compute monitoring metrics. If a metric falls below a customized threshold, the system triggers an alert through a formal governance workflow. Furthermore, we use metadata to automate the generation of development documentation, reducing the manual compliance tax on your developers.

4. Zero-Trust Security and Data Residency

UK banks are rightfully protective of their data. We address this by offering a Cloud-Ready Architecture that can sit fully within a bank’s secure IT estate. Whether deployed as a managed SaaS on GCP or within the bank’s own Kubernetes environment, the data remains within the bank's controlled perimeter at all times.

A Global Regulatory Divide: The UK and US Divergence

While US regulators are moving toward a more tailored, non-enforceable posture under SR 26-2, the UK PRA is aggressively moving in the opposite direction. This divide makes vendor partnership critical, as the UK's stringent demands for proof and accountability contrast sharply with the US focus on flexible, technology-driven model management.

‍

The Vendor Perspective: Partnering, Not Just Providing

The shift in 2026 is that vendors can no longer be "third parties" in the eyes of the PRA. They are part of the bank's "material outsourcing." This 'material outsourcing' concept requires banks to apply the same robust governance to vendors as they would their own internal processes, which aligns with the EU’s DORA and the UK’s wider operational resilience framework.

Our approach is to provide a "White Box" experience. Yields makes the vendor risk assessment easy for the bank's procurement and compliance teams because code, calculations, and decision lineages are made transparent. We provide full governance lineage and reproducibility for every calculation and decision made in the system. By offering an API-first structure and supporting private network connectivity, we ensure that the bank’s MRM team has the same level of control over our software as they do over their own internal systems.

The Bottom Line: SS1/23 is not a hurdle to be cleared; it is a new way of doing business. Banks that choose a vendor who understands the regulatory spirit as well as the technical requirements will find that they aren't just managing risk, they are gaining a competitive advantage.

‍