Banks Embrace Model Review Opportunities Amid Policy Uncertainty and AI Disruption

The Federal Reserve, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) have officially ended the era of SR 11-7, the regulatory framework that governed bank model risk management for 15 years. On April 17, 2026, the three agencies issued the Revised Guidance on Model Risk Management (SR 26-2), replacing the long-standing 2011 guidance with a more principles-driven, risk-based approach.

The transition marks a significant shift in how U.S. Financial institutions must oversee the quantitative models used for decision-making. While the previous framework was often criticized for being applied too prescriptively, the new guidance allows banks to tailor their oversight based on the actual risk and materiality of each model.

Shift to Risk-Based Materiality

The core of the new framework is a formal materiality construct that replaces the previous expectation of uniform rigor across all models. Under SR 26-2, banks are expected to assess model risk by considering a model’s inherent risk—including its complexity, assumptions, and data quality—in the context of its materiality, defined as the model’s exposure and purpose.

This tiered approach allows banking organizations to apply different levels of governance:

• High-Materiality Models: These continue to require comprehensive and rigorous oversight and validation.
• Low-Materiality Models: Banks may apply lighter-touch oversight, which can be limited to identifying the models and monitoring their performance and the conditions under which they might become material in the future.

The revised guidance is primarily directed at banking organizations with over $30 billion in total assets, though regulators noted it remains relevant for smaller institutions with significant model complexity or exposure outside traditional community banking.

The Generative AI Gap

A central point of contention and uncertainty in the new guidance is the explicit exclusion of generative and agentic AI models from its scope. While traditional quantitative models are governed by the new MRM framework, the agencies have signaled that these rapidly evolving AI technologies will be addressed separately.

The OCC stated that the agencies plan to issue a request for information in the near future to specifically address the use of AI, including generative AI and agentic AI-based models. Despite being outside the specific scope of the MRM guidance, these tools are not exempt from general risk management and governance expectations applicable to all banking operations.

Industry Reaction and Implementation

Industry response has been mixed, characterized by Risk.net as a blend of hopes, fears and ‘mass confusion’. Many banks have welcomed the opportunity to prioritize their model reviews and reduce the compliance burden on immaterial tools. The new guidance also explicitly states that non-compliance alone will not result in supervisory criticism, a departure from the more prescriptive environment of the SR 11-7 era.

However, the sudden rescission of multiple foundational documents has created operational challenges. Along with SR 11-7, the agencies rescinded:

• OCC Bulletin 2011-12 and FDIC FIL-22-2017.
• The 2021 Interagency Statement on BSA/AML Model Risk Management (SR 21-8).
• OCC Bulletin 1997-24 regarding credit scoring models.
• The Model Risk Management booklet of the Comptroller’s Handbook.

For practitioners, this requires a comprehensive rewrite of validation templates, documentation refreshes, and a migration of model inventories to fit the new tiering system. Some firms estimate this transition will require two to three quarters of dedicated workstreams to align their internal platforms with the new expectations.

Vendor and Third-Party Oversight

The April 17, 2026, guidance also introduces a stand-alone section on vendor and third-party risk management. This recognizes the increasing reliance on externally developed models where banks may have limited ability to validate the underlying code or receive full developer documentation.

The agencies clarified that the principles of model risk management still apply to third-party tools. In cases where vendor models are customized for a specific bank’s needs, the institution is now explicitly required to document, justify, and evaluate any adjustments made to the original model.