Introduction

On April 17, 2026, the Federal Reserve, FDIC, and OCC jointly issued revised interagency guidance on model risk management (SR 26-2), superseding the foundational SR 11-7 framework that had governed banking institutions’ model practices since 2011. The revision reflects fifteen years of evolution in how financial institutions develop and deploy quantitative tools, the emergence of artificial intelligence and machine learning in core business processes, and a deliberate regulatory shift toward principles-based oversight calibrated to institutional risk profile. For the financial services industry, the change is both substantive and structural: it redefines what constitutes a model, narrows the population of institutions to which formal guidance is addressed, and explicitly sets aside generative and agentic AI for separate forthcoming rulemaking.

This paper examines the six most consequential differences between the original and revised standards, surveys their practical implications for institutions subject to the guidance, and identifies the adjustments that banking organizations across the asset size spectrum should expect to make to their model risk management programs. The analysis proceeds from a comparative review of the two frameworks to the operational expectations that the revised standard creates for model inventories, validation practices, governance structures, and the treatment of emerging AI technologies.

Key Differences Between SR 11-7 and the 2026 Revised Standard

When comparing the original and revised MRM standards, the most important substantive difference is scope. In 2011, the model definition was intentionally broad. It covered quantitative methods, systems, or approaches applying statistical, economic, financial, or mathematical theories and explicitly included approaches whose inputs were partially or wholly qualitative or based on expert judgment so long as the output was quantitative. By contrast, the 2026 revised standard defines a model as a complex quantitative method, system, or approach applying statistical, economic, or financial theories to generate quantitative estimates, and expressly excludes simple arithmetic calculations such as those found in spreadsheets, as well as deterministic rule-based processes and software without those theoretical underpinnings. It also expressly excludes generative AI and agentic AI models from the scope of this guidance, while noting that broader governance and risk management practices should include such tools and modeling frameworks. This is not simple semantics. It materially reduces the number of tools and end-user computing applications that can plausibly be swept into the formal confines of MRM under the revised standard.

The second major difference is applicability and tailoring by institution type and model risk profile. The 2011 standard stated that all banks should ensure internal policies and procedures were consistent with the guidance, while acknowledging that practical application should be commensurate with the bank’s risk exposures, activities, and the complexity and extent of model use, including lighter implementation for community banks with relatively few and moderately complex models. The 2026 revised standard is more direct while also more limiting. It states that the guidance is expected to be most relevant to banking organizations with more than $30 billion in assets, and that institutions at or below that threshold are generally outside the guidance unless they have significant exposure to model risk because of model prevalence, model complexity, or nontraditional activities.

The third major difference is the treatment of prescriptiveness. SR 11-7 was framed as comprehensive supervisory guidance and, while not a regulation, it was often operationalized by banks and examiners as if it implied a fairly stable minimum control architecture. The 2026 standard makes the non-prescriptive character of the guidance much more explicit. Both the interagency text and the supporting agency press releases state that the guidance does not establish enforceable standards or prescriptive requirements and that non-compliance alone will not produce supervisory criticism. That does not mean MRM weakness is now without consequence. The revised guidance itself notes that supervisory action may still result from violations of law or unsafe or unsound practices stemming from insufficient management of model risk. But it does mean the agencies are deliberately signaling that institutions should not treat every historical SR 11-7 convention as a mandatory procedural requirement.

The fourth major difference lies in the articulation of model risk itself. The 2011 standard described model risk mainly through two causal channels: fundamental model error and model misuse. It also emphasized complexity, uncertainty in assumptions and inputs, broader use, and potential impact, together with aggregate model risk and effective challenge. The 2026 revised standard reframes this analysis more explicitly around inherent risk, exposure, purpose, and use. It states that model purpose together with model exposure determines model materiality, and that overall model risk reflects inherent risk in the context of that materiality. It also states that organizations may deem certain models immaterial and, for such models, management may consist chiefly of identifying them and monitoring whether they may become material in the future. This is a meaningful evolution because it gives institutions clearer conceptual support for tiering models and for applying lighter controls where both exposure and purpose are limited.

The fifth material difference is the revised treatment of validation. The 2011 standard described an effective validation framework in highly detailed terms, with three core elements—conceptual soundness, ongoing monitoring, and outcomes analysis—and stated that banks should conduct periodic review of each model at least annually and generally ensure all models undergo full validation at fixed intervals. The 2026 revised standard retains conceptual soundness, outcomes analysis, and ongoing monitoring, but speaks in less mandatory and less interval-driven language. Validation timing, nature, and frequency are said to vary based on model purpose, methodology, model changes, data limitations, and practical constraints. Validation generally occurs before first use, but critical business requirements may justify controlled use before validation is completed. The revised standard also states that the quality of validation depends more on rigor and effectiveness of review than on the organizational structure of the risk management function. This is a notable softening of the earlier emphasis on recurring full validations and formal annual reviews, and it aligns with the OCC’s earlier clarification that its model risk guidance should not be interpreted to require annual model validation for community banks. That clarification is referenced in the OCC press materials accompanying the revised bulletin.

The sixth difference is a simplification of governance expectations without abandoning governance substance. SR 11-7 devoted considerable detail to board and senior management responsibilities, policy approval and annual review, roles across ownership, controls, and compliance, internal audit, external resources, model inventory, and documentation standards. The revised standard still covers governance and controls, clear roles and responsibilities, model inventory, documentation, internal audit boundaries, and oversight of external resources, but in a more principles-based formulation. It states that model governance should be supported by clear policies and effective controls, that governance sophistication is typically informed by the extent and sophistication of model usage and organizational complexity, that inventories are common industry practice and should contain sufficient information to understand model risks at individual and aggregate levels, and that adequate documentation supports continuity, remediation tracking, and effective risk management. The practical implication is that the agencies still expect governance infrastructure, but they are giving institutions more latitude in how that infrastructure is designed and evidenced.

There are also agency-specific differences in how the change from the original to the revised standard is described. For the Federal Reserve, the change is framed as a supersession of SR 11-7 and the 2021 BSA/AML model risk statement, with the emphasis on clarifying principles and tailoring application. For the OCC, the change is broader and more comprehensive: it rescinds OCC Bulletin 2011-12, the Comptroller’s Handbook MRM booklet, the 1997 credit-scoring bulletin, and the 2021 BSA/AML interagency statement, thereby consolidating prior OCC-level MRM guidance into a single revised interagency framework. For the FDIC, the change is presented as both adoption and narrowing. The FDIC rescinds FIL-22-2017, which had adopted the earlier interagency guidance, and FIL-27-2021, while expressly stating that the revised guidance generally does not apply to smaller institutions lacking significant model risk exposure.

Practical Implications for Financial Institutions

For financial institutions subject to the revised standard, the clearest expectation is that MRM programs should become more explicitly risk-segmented rather than uniformly process-driven. Institutions should expect examiners to focus less on whether every historical SR 11-7 checkpoint or “ritual” has been performed in the same way across all models and more on whether the institution has a defensible framework for distinguishing material from immaterial models, high-risk from low-risk uses, and significant from limited business impact. The revised guidance expressly supports model tiering logic based on inherent risk, exposure, and purpose, including recognition that some models may be immaterial and monitored more lightly unless their role changes.

Institutions should also expect the model inventory boundary to be revisited. Under the revised standard, many spreadsheet calculations, deterministic tools, and rules-based processes that institutions previously classified as “models” mainly out of caution may no longer belong inside the formal MRM perimeter if they do not meet the revised definition. That does not mean those tools can be unmanaged. It means they should be governed under broader operational risk, end-user computing, data governance, or process control frameworks rather than under full MRM treatment. For many institutions, especially community and regional banks, this may justify a substantial rationalization of model inventories, validation plans, and MRM reporting.

At the same time, institutions should not misread the revised standard as permission to weaken substantive challenge. The revised guidance preserves the central role of effective challenge, aggregate model risk assessment, pre-use validation as a general rule, ongoing monitoring, outcomes analysis, and governance. A bank that uses a model for a significant business line, regulatory requirement, financial risk measurement, or high-impact decision should still expect robust development evidence, credible validation, clear limitation management, and strong governance. What has changed is the agencies’ willingness to say openly that rigor should be commensurate with materiality and that not every institution, or every model, warrants the same intensity of process.

For community banks in particular, the revised standard is likely to have two practical effects. First, many institutions at or below $30 billion in assets that do not have significant model risk exposure will have stronger supervisory support for a lighter-touch MRM framework. The FDIC states this most directly, and the OCC materials similarly point toward a tailored approach for community banks. Second, smaller institutions with concentrated but meaningful model risk—such as reliance on vendor CECL, IRR, liquidity, capital planning, fraud, or credit decisioning models—should still expect scrutiny of whether those models are appropriately identified, validated, monitored, and governed. The revised standard does not create a small bank exemption from sound risk management; it creates supervisory room for proportionality.

Institutions should also expect heightened attention to vendor models and customized third-party solutions. Both the original and revised standards maintain that vendor products remain subject to the institution’s own MRM framework, but the revised standard condenses the principle into a simpler message: institutions must understand the vendor model sufficiently to assess conceptual soundness, development data, and performance, and they must conduct ongoing monitoring and outcomes analysis, including of customizations and overlays. In current supervisory practice, that likely means banks will still need documented challenge of vendor black boxes, but they may have more latitude in the exact form of that challenge, especially where direct code review is unavailable and benchmarking, sensitivity analysis, and performance monitoring are more practical.

Finally, institutions should expect the agencies to treat AI-related model governance as unfinished territory rather than settled doctrine under the revised standard. The interagency guidance expressly excludes generative AI and agentic AI models from scope, while the OCC states that the agencies plan to issue a request for information addressing model risk management more generally and banks’ use of AI, including generative AI, agentic AI, and AI-based models. The implication is that traditional statistical and quantitative models remain squarely within the revised MRM framework, but banks should not assume that emerging AI tools are beyond supervisory concern. Rather, those tools currently sit outside this particular guidance while still requiring governance under broader risk management expectations.

Conclusion

The 2026 revised interagency MRM guidance represents a meaningful recalibration of supervisory expectations, not a relaxation of the fundamental obligation to manage model risk soundly. By narrowing the definition of a model, directing the guidance primarily toward larger institutions with significant model risk exposure, and adopting an explicitly principles-based rather than prescriptive approach, the agencies have signaled a willingness to allow governance structures to be proportionate to the actual risk that models create. For institutions with mature MRM programs, the revised standard offers an opportunity to rationalize inventories, streamline validation cadences, and re-align governance overhead with materiality. For smaller and community institutions, it provides supervisory support for lighter-touch frameworks that were always appropriate but insufficiently endorsed under SR 11-7.

What the revised standard does not change is the expectation that model risk, wherever it is material, will be governed rigorously. Effective challenge, independent validation, ongoing monitoring, and defensible governance remain the core obligations of a sound MRM program under any version of the guidance. Institutions that interpret the revision as an invitation to reduce substantive oversight rather than to apply it more precisely will misread both the letter and intent of the revised framework. The path forward is greater precision and proportionality, not reduced vigilance