Cloud & Infrastructure Policy¶
| Code | DT-006 |
| Domain | Data & Technology |
| Owner | Chief Technology Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD09 |
| Review date | 2027-03-25 |
Regulations: CPS 230 Operational Risk Management · DTA Outsourcing Standard¶
Purpose¶
Govern the platform's obligations for model risk management, including model validation, ongoing monitoring, and governance of all models used in regulated decision-making.
Scope¶
All quantitative models used by the platform to make or inform regulated decisions, including credit scoring, AML scoring, capital calculation, impairment, and liquidity models.
Policy statements¶
The platform SHALL maintain a model inventory that records all models in use, their purpose, owner, validation status, performance monitoring schedule, and current approval status. The inventory SHALL be kept current and reviewed at least annually by the Chief Risk Officer (CRO).
All new models and material model changes SHALL undergo independent validation before deployment in production. Independent validation SHALL be performed by a party that was not involved in model development. Where internal independent validation is not feasible due to team size or specialisation, external validation SHALL be commissioned.
Validation SHALL assess: conceptual soundness, data integrity, model performance, known limitations, and the appropriateness of the model for its intended use. All validation findings SHALL be documented and resolved to the satisfaction of the validator before the model is approved for production use. Outstanding findings SHALL be escalated to the CRO.
All models in the model inventory SHALL be subject to ongoing performance monitoring. Monitoring SHALL include backtesting, population stability testing (PSI), and output distribution analysis on a frequency commensurate with model materiality and risk. Material performance deterioration — including PSI exceeding defined thresholds — SHALL trigger a model review and, where warranted, suspension of the model pending revalidation.
Models SHALL be revalidated at least every three years or following a material change in the data environment, business conditions, regulatory requirements, or the model's performance characteristics, whichever is sooner. Models that cannot be revalidated within this schedule SHALL be escalated to the CRO for risk acceptance or decommission.
Model overrides — manual adjustments to model outputs applied in production — SHALL be individually documented with the reason for the override, dual-approved at senior management level, and reported to the model owner monthly. Patterns of systematic overrides SHALL trigger a formal model review. Override rates exceeding defined thresholds SHALL be reported to the Board Risk Committee.
The CRO SHALL maintain oversight of the model risk programme and report model risk status, including outstanding validation findings, performance alerts, and override patterns, to the Board Risk Committee at least annually.
Satisfying modules¶
(No modules assigned yet — manual process)
Part of Data & Technology · Governance overview
Compiled 2026-05-22 from source/entities/policies/DT-006.yaml