How to Build an AI Strategy for Financial Institutions Under the BSP Model Risk Guidelines
In BFSI, building an AI strategy is not about introducing new use cases—it is about structuring how AI is governed across the organization.
Under the Bangko Sentral ng Pilipinas’ Model Risk Management guidelines, AI initiatives are treated as regulated models, not standalone technologies. This means AI systems used in areas such as credit, fraud detection, and compliance must operate within a defined governance framework—subject to validation, monitoring, and auditability.
In practice, this requires a structured approach that defines:
- How AI systems are identified and classified
- How ownership, validation, and oversight are assigned
- How models are managed from development through decommissioning
These should not be treated as isolated initiatives, but as part of a regulated, enterprise-wide model governance system.
To apply this approach effectively, it is important to understand how the BSP defines and governs models within its Model Risk Management guidelines.
Understanding the BSP Model Risk Management Guidelines
The Bangko Sentral ng Pilipinas (BSP) has introduced Proposed Guidelines on Model Risk Management (MRM) to address the increasing reliance of financial institutions on models for decision-making.
Under these guidelines, a “model” is broadly defined as any system that processes data to generate outputs or support decisions. This includes statistical models, rule-based systems, and AI-driven solutions.
The guidelines establish expectations for how models should be:
- Identified and classified based on risk
- Governed through defined roles and responsibilities
- Validated independently before use
- Documented for transparency
- Monitored throughout their lifecycle
The guidelines require all decision-making systems to operate within a structured, controlled, and auditable framework—and clearly define what institutions are expected to implement.
The next question is how the BSP evaluates compliance in practice—and what happens when these expectations are not met.
Why Model Risk Management Is Not Optional
The BSP applies risk-based supervision of models through regular examinations, thematic reviews, and supervisory assessments.
Under the proposed MRM guidelines, BSP-supervised financial institutions are expected to establish and maintain a model risk management framework that is proportionate to their size, complexity, and extent of model use.
The implication is clear: using AI models without an MRM framework does not meet supervisory expectations.
This applies regardless of how the model is sourced, including:
- Internally developed models
- Third-party or vendor solutions
- AI and machine learning systems
- Models embedded within software platforms
Responsibility remains with the institution—not the model provider.
In practice, when models are used without proper governance, supervisory actions may include:
- Findings raised during examinations
- Requirements for immediate remediation
- Revalidation or suspension of models
- Escalation as operational or governance weaknesses
The BSP explicitly links weak model governance to financial losses, poor decision-making, and increased regulatory risk.
While institutions are not prohibited from adopting models, they are expected to ensure that all models operate within an MRM framework. Models that fall outside this structure may not be considered compliant for continued use.
This means AI models are not evaluated before adoption—but they are assessed after deployment based on how they are governed and controlled.
Because of this, building an AI strategy is not simply about adopting models—it is about ensuring that every model operates within a structured MRM framework from the outset.
The following is a practical framework for building your AI strategy in accordance with the BSP’s Model Risk Management guidelines.
How to Build Your AI Strategy Using the BSP Model Risk Principles
To align with the BSP MRM guidelines, your AI strategy must be structured as a system that integrates governance, lifecycle management, and decision control.
Step 1: Start with AI Use Cases—Then Classify Model Risk
AI strategy begins with a clear view of where AI is already used or planned across the organization. These use cases often exist across core functions such as credit assessment, fraud detection, AML/KYC, customer service, and internal operations.
However, under the BSP MRM principles, these systems must not be treated equally. Each AI use case must be formally assessed and classified based on risk.
You need to evaluate:
- Materiality — How much the model impacts financial outcomes or customer decisions
- Complexity — Whether the model is rules-based, statistical, machine learning, or generative AI
- Regulatory sensitivity — Whether the model directly affects customers or operates internally
The outcome of this step is not just a list of use cases but a risk-tiered model inventory, in which models are categorized (e.g., High, Medium, Low risk) based on their impact and risk exposure.
This classification determines how much governance, validation, and monitoring each model requires. Without it, organizations either over-control low-risk systems or under-govern high-risk ones—both of which create operational and regulatory issues.
Step 2: Establish Model Governance Before Deployment
Once models are identified and risk-tiered, governance must be defined before any development or deployment takes place.
The BSP MRM principles require clear accountability for every model. This means that responsibility for AI decisions cannot remain solely within technical teams—it must be distributed across business, risk, and compliance functions.
At a minimum, each model must have:
- A Model Owner responsible for business outcomes and decision impact
- A Model Developer responsible for building and maintaining the model
- A Model Validator responsible for independent review and challenge
In addition, your strategy must define:
- How models are approved before deployment
- What documentation is required at each stage
- How changes to models are tracked and controlled
To operationalize this, organizations typically establish a cross-functional governance structure, such as an AI or Model Governance Committee that includes stakeholders from business, risk, IT, and compliance.
This ensures that AI decisions are not only technically sound but also aligned with risk and regulatory expectations.
Step 3: Build Models with Documented and Defensible Methodology
Under the BSP MRM, models must be transparent, reproducible, and supported by clear documentation. This means that model development is not just a technical process—it is a controlled activity that must produce evidence.
Your strategy must standardize how models are built by defining:
- How data is sourced, cleaned, and prepared
- Why specific features or variables are selected
- What assumptions does the model make
- How the model is trained, tested, and evaluated
Every model must produce a Model Development Document (MDD) that clearly explains how the model works and why it is appropriate for its intended use.
This documentation allows independent reviewers, auditors, and regulators to understand the model without relying on the original developers.
If a model cannot be explained clearly or its design cannot be justified, it will not meet validation or supervisory expectations.
Step 4: Enforce Independent Model Validation
Before any model is deployed, it must be independently validated. This is a core requirement under the BSP MRM and one of the most scrutinized areas during supervisory reviews.
Validation must be performed by a function that is separate from the development team to ensure objectivity. It is not a formality; it is a critical control point that tests whether the model is reliable, fair, and fit for purpose.
Model Validation should assess:
- Whether the model performs accurately under different conditions
- Whether outputs are stable over time
- Whether there are biases that could affect customers or decisions
- Whether the model’s logic can be explained and justified
Common validation techniques include back testing, sensitivity analysis, and benchmarking against alternative models.
The output of this step is a Model Validation Report (MVR), which documents whether the model is approved for use, requires changes, or should not be deployed.
Without strong validation, organizations risk deploying models that perform poorly in real-world conditions or fail regulatory scrutiny.
Step 5: Embed Explainability and Decision Controls
For AI to be used in regulated environments, its output must be explainable, especially when they affect customers.
Your strategy must ensure that:
- Model decisions can be clearly explained in business terms
- Acceptable thresholds for bias and error are defined
- There are mechanisms to override or review model decisions when necessary
This often requires using explainability tools such as SHAP and LIME, which helps translate complex model outputs into understandable drivers of decisions.
- SHAP (SHapley Additive Explanations) explains a prediction by showing how much each input factor (e.g., income, transaction behavior) contributed to the final decision. It provides a clear breakdown of why a model arrived at a specific outcome by quantifying the impact of each variable.
- LIME (Local Interpretable Model-Agnostic Explanations) explains individual decisions by approximating the model with a simpler, interpretable version around a specific case—helping users understand what influenced that specific decision.
These tools make model decisions transparent by clearly showing which factors influenced the outcome.
For example, if a credit application is declined, the institution must be able to explain which factors influenced the decision and whether those factors are consistent with applicable policies and regulations.
Without explainability, even technically accurate models can create compliance risks and undermine customer trust.
Step 6: Implement Continuous Monitoring and Lifecycle Management
The BSP MRM emphasizes that model governance does not end at deployment. Models must be continuously monitored to ensure they remain accurate, stable, and aligned with real-world conditions.
Your strategy must define how models are monitored by tracking:
- Performance against actual outcomes
- Changes in input data quality or structure
- Signs of model drift or degradation
- Patterns in overrides or unexpected decisions
In addition, you must define:
- When a model needs to be revalidated
- How updates and retraining are managed
- When should a model be retired or replaced
This requires maintaining a centralized model inventory and monitoring capability, often supported by dashboards or reporting systems that provide visibility across all models in use.
Without continuous monitoring, models can degrade over time, leading to inaccurate decisions and increased regulatory exposure.
Step 6: Implement Continuous Monitoring and Lifecycle Management
The BSP MRM emphasizes that model governance does not end at deployment. Models must be continuously monitored to ensure they remain accurate, stable, and aligned with real-world conditions.
Your strategy must define how models are monitored by tracking:
- Performance against actual outcomes
- Changes in input data quality or structure
- Signs of model drift or degradation
- Patterns in overrides or unexpected decisions
In addition, you must define:
- When a model needs to be revalidated
- How updates and retraining are managed
- When should a model be retired or replaced
This requires maintaining a centralized model inventory and monitoring capability, often supported by dashboards or reporting systems that provide visibility across all models in use.
Without continuous monitoring, models can degrade over time, leading to inaccurate decisions and increased regulatory exposure.
Step 7: Align AI Strategy with Enterprise Risk and Compliance
An AI strategy cannot operate independently from the broader governance environment of the organization.
To meet BSP expectations, AI must be integrated into existing frameworks such as:
- Enterprise Risk Management (ERM)
- Information Security
- Data Privacy Compliance (Including the Data Privacy Act of 2012)
This ensures that AI-driven decisions are treated as part of overall operational risk, rather than isolated technical outputs.
When AI is aligned with enterprise governance, it becomes easier to manage risk consistently and demonstrate compliance during reviews.
Step 8: Ensure Auditability and Regulatory Readiness
Finally, your AI strategy must ensure that all models are fully auditable at any point in time.
This means maintaining:
- Complete and up-to-date model documentation
- Logs of model inputs, outputs, and decisions
- Validation and monitoring records
- Evidence of governance and approval processes
You should be able to demonstrate at any time:
- How a model was built
- How it is being used
- How its decisions are controlled and reviewed
If this cannot be demonstrated, the model will not meet BSP supervisory expectations—even if it performs well.
What This Means for Your AI Strategy
Applying these steps transforms your AI strategy into a structured system for governing, deploying, and scaling models across the organization.
In practice, this follows a clear flow:
Use Case → Risk Classification → Governance Setup → Build → Validate → Deploy → Monitor → Audit
This is fundamentally different from an ad hoc approach, where models are built and deployed first, and governance is addressed later.
Under the BSP Model Risk Management principles, strategy is defined by how well this structure is implemented—not by how many AI use cases are deployed.
What This Enables in Practice
Once a structured model governance framework is in place, your organization can move beyond controlled experimentation to consistent execution.
This allows you to:
- Scale AI-driven decisions across business units without duplicating governance efforts
- Automate high-volume processes while maintaining clear decision accountability
- Expand AI use cases with confidence that controls and oversight remain consistent
- Integrate AI into core operations without introducing fragmented or unmanaged risk
At this stage, AI becomes a reliable operational capability—one that can be applied at scale while meeting both business and regulatory expectations.
Connecting to a Broader AI Strategy Framework
While the BSP MRM defines how models are governed, it must be aligned with a broader AI strategy that connects initiatives to business outcomes, ownership, and performance measurement across the organization.
For a broader view of how your AI strategy aligns with growth, governance, and performance, refer to our guide on AI Strategy for BFSI: A Complete Guide on How to Govern and Control AI .
Move from Compliance to Scalable Execution
Aligning your AI strategy with the BSP Model Risk Management guidelines requires a clear model governance structure—ensuring AI systems are controlled, validated, and monitored across business units.
Implementing this consistently across business, risk, and technology functions—especially at scale—is complex. This is where an experienced partner becomes essential.
Tech One Global Philippines is a multi-awarded Microsoft Solutions Partner, recognized as Microsoft’s Country Partner of the Year 2025, with advanced specializations in Cloud, Data & AI, Security, and Modern Work.
Contact Tech One Global Philippines for assistance in creating your AI Strategy.
Applying the AI Pillars Across the BFSI Adoption Journey
AI maturity in BFSI typically progresses through three stages: Early Adoption, Expanding Adoption, and Embedding & Scaling.
The same five pillars apply—but their role deepens as AI moves from experimentation to enterprise capability.
1. Early Adoption: Proving Value in a Controlled Environment
At this stage, organizations are exploring AI through targeted use cases—often within innovation teams, digital units, or specific business lines.
How the pillars are applied:
- Business Alignment
The focus is on specific, visible problems, such as fraud detection in InstaPay transactions or chatbot-driven customer service.
Alignment is use-case driven, not yet enterprise-wide.
- Value Prioritization
Quick wins take priority—low complexity, high-visibility use cases that demonstrate ROI within months.
- Clear Ownership
Ownership typically sits with innovation, IT, or digital teams—business involvement is present but not yet fully accountable.
- Consistent Governance
Governance is lightweight but intentional—basic controls around data usage, model validation, and compliance with BSP expectations.
- Performance Measurement
Metrics focus on proof of value—accuracy, processing-time improvements, or fraud-detection rates.
Executive reality:
AI is being tested. The goal is confidence—not scale.
2. Expanding Adoption: Scaling Across Functions and Use Cases
AI begins to move beyond pilots into multiple business units, particularly in high-impact domains like lending, payments, and risk.
How the pillars are applied:
- Business Alignment
AI initiatives are now linked to functional KPIs—loan approval turnaround time, fraud loss reduction, and customer onboarding efficiency.
- Value Prioritization
Organizations shift from “quick wins” to portfolio thinking—prioritizing use cases based on financial impact, transaction volume, and regulatory sensitivity (e.g., across PESONet and digital wallets).
- Clear Ownership
Ownership transitions to business leaders (e.g., Head of Lending, Chief Risk Officer), with IT and data teams as enablers.
- Consistent Governance
More structured governance frameworks emerge—model documentation, validation processes, and audit readiness aligned with BSP expectations.
- Performance Measurement
KPIs evolve to include business impact—cost savings, revenue uplift, operational efficiency, and risk reduction.
Executive reality:
AI is delivering value—but inconsistencies, silos, and governance gaps begin to surface.
3. Embedding & Scaling: Institutionalizing AI as a Core Capability
AI becomes part of core banking operations, embedded into decision-making at scale across the enterprise.
How the pillars are applied:
- Business Alignment
AI is fully integrated into enterprise strategy—supporting financial inclusion, digital growth, and competitive differentiation.
- Value Prioritization
Investment decisions are driven by enterprise-wide value optimization—balancing profitability, risk exposure, and customer experience across the entire portfolio.
- Clear Ownership
Accountability is fully embedded in the business, with strong alignment across business, risk, compliance, and technology. AI governance is often overseen at the executive or board level.
- Consistent Governance
A mature AI governance framework is in place—covering explainability, bias management, auditability, and regulatory compliance.
AI decisions are fully defensible to regulators, including the BSP.
- Performance Measurement
Continuous monitoring is institutionalized—AI performance is tracked in real time, with automated retraining, model risk management, and benchmarking across use cases.
Executive reality:
AI is no longer a capability—it is part of how the bank operates, competes, and manages risk.
What This Means for BFSI Leaders
The five pillars do not change—but how rigorously they are applied determines whether AI stalls or scales.
- In Early Adoption, the pillars provide direction
- In Expanding Adoption, they provide structure
- In Embedding & Scaling, they provide control and sustainability
The key question for BFSI leaders is not:
“Do we have AI initiatives?”
But rather: “Do we have the discipline across these pillars to scale AI—safely, compliantly, and profitably?”
Understanding your current stage is the first step—closing the gaps across these pillars is what enables scale
AI Readiness: Can Your Organization Scale AI Effectively?
A defined strategy provides direction—but scaling AI requires the right foundations.
Most BFSI organizations already have AI initiatives across functions. The key question is whether these efforts can scale consistently, with visibility and control, as adoption expands.
Download the AI Strategy & Readiness Checklist to get a clear view of where your organization stands—and what to prioritize next.
Why Execution Requires a Partner
A structured AI strategy defines what needs to be done—but executing it consistently across your organization is a different challenge.
In BFSI, AI spans business units, risk functions, data environments, and customer-facing processes. Scaling it requires coordination across these areas while ensuring that decisions remain consistent, measurable, and aligned with the BSP’s expectations.
At this stage, organizations must align multiple layers simultaneously:
- Business priorities across functions
- Risk and compliance requirements
- Technology and data integration
- Operational processes and workflows
This is where many organizations require additional expertise—to structure AI at the enterprise level, standardize governance, and enable controlled execution.
Working with the right partner enables organizations to move from a defined strategy to consistent, scalable execution.
Why Tech One Global Philippines
Executing an AI strategy in BFSI requires more than technical capability—it requires a partner that understands how to align AI with business outcomes, regulatory expectations, and operational realities in the Philippines.
Tech One Global Philippines is a Microsoft-recognized partner with experience in enterprise AI and digital transformation. As a 4-time Microsoft Partner of the Year, we have delivered large-scale solutions across data, AI, cloud, and security—capabilities that are directly relevant to BFSI environments.
Beyond platform expertise, Tech One Global Philippines differentiates itself through our ability to operationalize AI strategy within regulated financial institutions.
This includes:
- Aligning AI initiatives to business outcomes
Ensuring use cases contribute to measurable improvements in growth, efficiency, and risk management
- Establishing governance and oversight
Applying consistent standards that support explainability, auditability, and regulatory alignment
- Preparing AI-ready environments
Structuring data, infrastructure, and security to support scalable AI adoption
- Enabling controlled execution
Integrating AI into existing processes without disrupting operations
With a strong understanding of the BFSI environment in the Philippines and experience in large-scale enterprise AI implementations, Tech One Global Philippines supports organizations in moving from fragmented adoption to coordinated, scalable execution
The next step is to contact us so we may help you assess where your organization stands today—and what you require to move forward with clarity.
