BANKREGWIRE
Rule Navigator · Model Risk Desk
Interagency Supervisory Guidance · MRM Comparison Tool

Model Risk Management Guidance
SR 11-7 / OCC 2011-12 → April 2026 Update

SR 11-7 + 3 more · 2011–2021 OCC Bull. 2026-13 · Fed SR 26-2 · FDIC FIL-15-2026 Apr 17, 2026 · Fed · FDIC · OCC Joint Forthcoming: Joint AI RFI
New Provision Revised Removed AI-Specific
Line-by-Line Changes
Document Structure
AI & Technology
Significance Matrix
▎ Three Structural Shifts
Bulletin 2026-13 reshapes MRM around three deliberate structural changes: (1) guidance is scoped to $30B+ institutions with sub-threshold banks presumptively excluded; (2) guidance is explicitly non-enforceable with supervisory criticism disclaimed; and (3) generative and agentic AI are carved out, with a joint RFI on AI announced concurrently. The 2021 BSA/AML model risk statement is also rescinded, folding AML model governance back into general MRM principles.
4
New Provisions
9
Revised
4
Removed
3
AI-Specific Carve-Outs
4
Documents Rescinded
April 2011
SR 11-7 /
OCC 2011-12
June 2017
FDIC FIL-22-2017
(FDIC Adopts SR 11-7)
April 2021
SR 21-8 / OCC 2021-19
(BSA/AML MRM)
2025
OCC Community-Bank
MRM Clarification
Apr 17, 2026
Joint Revised Guidance
Bull. 2026-13 · SR 26-2 · FIL-15-2026
Forthcoming
Joint RFI on MRM
and AI (Gen + Agentic)
Filter:
Reading the diffs: old guidance text is shown in muted italic · new guidance text is shown in standard weight · highlighted spans show additions, deletions, and AI-specific provisions
Provision Analysis
Revised Scope Explicitly Limited — $30B Asset Threshold Introduced ▲ High
SR 11-7 · April 2011
Applied to all banks. Acknowledged that practical application "should be customized to be commensurate with a bank's risk exposures" and that steps for a community bank "might be significantly less involved." No explicit size threshold or bright-line exclusion.
OCC Bulletin 2026-13 · April 2026
Guidance is expected to be most relevant to banking organizations with over $30 billion in total assets. Smaller institutions are generally excluded, consistent with a tailored supervisory approach. Exception carved out for sub-$30B institutions with significant model exposure outside traditional community banking.
Policy Significance
This is a structural break from SR 11-7, which applied principles to all banks with model usage. The $30B threshold does not map cleanly onto an existing prudential category — it sits well above the Community Bank Leverage Ratio threshold ($10B) and meaningfully below the Category IV tailoring threshold ($100B). It likely reflects the agencies' empirical judgment about where model inventory size and complexity become non-trivial in practice rather than alignment with a pre-existing capital or liquidity tier. Below-threshold institutions retain the obligation to have risk-appropriate MRM practices but are presumptively not subject to these specific expectations. For community banks and mid-size regionals, this removes the shadow of non-compliance that SR 11-7 created even for straightforward model deployments.

The $30 billion figure is best read as a recalibration rather than a novelty. While SR 11-7 itself set no asset threshold, the FDIC's 2017 adoption (FIL-22-2017) already signaled that the guidance was generally not expected to apply to institutions under $1 billion in total assets absent significant, complex, or elevated-risk model use. The 2026 guidance moves that tailoring instinct up by roughly an order of magnitude, makes it explicit, and extends it on an interagency basis — giving OCC- and Fed-supervised institutions a size-based scoping that the FDIC had applied in narrower form for nearly a decade.

One framing nuance is worth preserving for community-bank audiences. The guidance body states that "generally excluding [sub-$30B organizations] from this guidance is consistent with a tailored supervisory approach," which supports the exclusion read above. Yet the bulletin's cover note states that the guidance "is applicable to all community banks, subject to the limitations discussed in the guidance." Both are accurate: the guidance technically reaches all institutions but is calibrated to be most relevant above $30 billion, with smaller institutions presumptively scoped out unless their model exposure is significant. The cover-note formulation is the one community bankers and their examiners are most likely to cite, and the distinction matters when advising an institution near or below the threshold.
New Guidance Explicitly Non-Enforceable — Supervisory Criticism Disclaimed ▲ High
SR 11-7 · April 2011
Framed as setting out "supervisory expectations" and described what banks "should" do in prescriptive terms throughout. Widely interpreted by examiners as establishing enforceable de facto standards despite its guidance status.
OCC Bulletin 2026-13 · April 2026
Explicitly states: "This guidance does not set forth enforceable standards or prescriptive requirements; accordingly, non-compliance with this guidance will not result in supervisory criticism against a banking organization." Footnote reserves supervisory action only for violations of law or unsafe/unsound practices from insufficient MRM.
Policy Significance
This is the single most operationally significant change in the document. SR 11-7, while technically guidance, functioned as de facto binding standards in examination practice—MRM shortfalls against SR 11-7 routinely produced MRAs. The explicit non-enforceable disclaimer directly addresses examiner practice and creates a legal firewall against mechanical SR 11-7-style citations. The footnote carve-out (unsafe/unsound practices may still lead to action) preserves examiner discretion at the extremes while eliminating formulaic citation risk for good-faith deviations.

This disclaimer is also part of a broader 2025–2026 pattern across the federal banking agencies of adding non-enforceability language to supervisory guidance, reflecting the post-Loper Bright deregulatory posture and the agencies' formal guidance-versus-rule statements (12 CFR Part 4 Subpart F for OCC, Part 262 for the Board, Part 302 for the FDIC, referenced in Footnote 1). The 2025 OCC clarification on community-bank application of MRM was a precursor.
Revised Model Definition Narrowed — Spreadsheets and Rule-Based Systems Excluded ▲ High
SR 11-7 · April 2011
Model is "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions." Three components: information input, processing, reporting. Explicitly included quantitative approaches with qualitative or expert-judgment inputs if output is quantitative. Very broad—caught many tools.
OCC Bulletin 2026-13 · April 2026
Model is "a complex quantitative method, system, or approach that applies statistical, economic, or financial theories." Explicitly excludes: simple arithmetic calculations (including spreadsheets), deterministic rule-based processes, and software without statistical/economic/financial theory in its design or use. Drops the three-component framework. Drops "mathematical" from theory types. Drops "techniques and assumptions" from the characterization.
Policy Significance
The addition of "complex" as a modifier and the explicit exclusions (spreadsheets, rule-based systems) meaningfully narrow the universe of tools subject to MRM requirements. Under SR 11-7, many institutions captured decision-tree logic, scorecard models, and even sophisticated spreadsheets in their model inventories to avoid examination risk. The 2026 definition focuses MRM resources on genuinely statistical and theory-grounded tools. The loss of "mathematical" from the theory list is noteworthy—it may signal that pure mathematical optimization tools without economic underpinning are outside scope. The three-component framework's removal simplifies the definitional test.
AI-Specific Generative AI and Agentic AI Explicitly Excluded from MRM Scope ▲ High
SR 11-7 · April 2011
No mention of AI, machine learning, or generative models. Predates modern AI deployment in banking. "Data-driven quantitative decision-making tools" broadly encompassed emerging tech as it arose—causing SR 11-7 to be stretched to cover ML models through examiner interpretation.
OCC Bulletin 2026-13 · April 2026
Footnote 3 states: "Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance." However, general risk management and governance practices should guide controls for out-of-scope tools. The guidance's principles apply to traditional statistical and quantitative models and non-generative, non-agentic AI models.
Policy Significance
This is a deliberate regulatory carve-out with significant practical implications. The agencies effectively acknowledged that fitting generative AI governance into a 2011 MRM framework would be an awkward retrofit—and declined to do so. The carve-out creates a regulatory gap: institutions deploying LLMs for credit decisions, document analysis, or customer-facing functions do not have a clear MRM framework to follow. The agencies preserve the general principle that good governance applies, but explicitly decline to specify what that means for generative AI.

Most importantly: the agencies announced concurrently with this guidance that they plan to issue a joint Request for Information on model risk management and AI, specifically including generative and agentic AI. The carve-out is not the end of the conversation—it is the agencies pausing to gather input before building a separate framework. Institutions and trade associations should plan to engage substantively with the RFI as the primary channel for shaping federal GenAI model governance expectations.
New Model Materiality — Formal Two-Axis Framework (Exposure × Purpose) ▲ High
SR 11-7 · April 2011
Materiality discussed informally: "where model failure would have a particularly harmful impact on a bank's financial condition, a bank's model risk management framework should be more extensive." No structured materiality framework. No formal axes of assessment.
OCC Bulletin 2026-13 · April 2026
Introduces formal two-axis materiality framework:

Model Exposure — significance of model output to business decisions; tied to portfolio size; quantitatively measurable.
Model Purpose — qualitative; nature and importance of use; regulatory compliance and financial risk management models deemed higher risk.

Model Materiality = exposure + purpose combined. Explicitly permits reduced oversight for models deemed immaterial, with monitoring for potential future materiality.
Policy Significance
The formalization of a materiality framework is a significant structural improvement over SR 11-7. It provides a conceptual anchor for model tiering—an industry practice that was implicitly endorsed but never formally blessed. The two-axis structure (exposure = quantitative, purpose = qualitative) allows institutions to formally designate lower-tier models for reduced oversight without examination risk. The explicit permission to deem models immaterial and reduce oversight accordingly (while monitoring for future materiality) gives institutions a policy hook for model inventory rationalization that SR 11-7 did not provide.

Read as policy signaling, the materiality framework retroactively blesses the tiering practices that large institutions have deployed for over a decade in a gray zone. Institutions defending existing tiering frameworks during examinations now have direct supervisory text to cite. The framework also creates a path for institutions to formally retire low-materiality models from active validation cycles—a meaningful operational benefit for inventory-heavy organizations.
Revised Validation Independence — Organizational Structure Deprioritized; Review Quality Elevated ▲ High
SR 11-7 · April 2011
Validation "should be done by people who are not responsible for development or use and do not have a stake in whether a model is determined to be valid." Independence reflected in separate reporting lines, compensation practices, corporate culture. Required explicit authority, stature, and commitment from higher management. Three-part framework: incentives, competence, influence.
OCC Bulletin 2026-13 · April 2026
"The quality of validation process depends on the rigor and effectiveness of the review rather than on organizational structure of the banking organization's risk management function." Emphasizes technical knowledge and modeling expertise as the primary enablers. Retains the concept of effective challenge but removes the prescriptive independence-by-org-chart framework.
Policy Significance
This is among the most significant conceptual shifts in the document. SR 11-7's emphasis on separate reporting lines and organizational independence created structural model validation units at virtually every large bank—often regardless of whether that structure actually improved review quality. The 2026 guidance explicitly reframes quality as the goal, not structure.

Importantly, the new guidance does not eliminate reporting-line independence entirely: Section VI (Governance and Controls) still references "potential conflicts of interest (e.g., misalignment of incentives between different reporting lines, such as model development and validation groups)" as a recognized governance consideration. The shift is one of emphasis—structural independence remains a recognized conflict-of-interest control, but it is no longer the primary marker of validation quality. This gives institutions flexibility to restructure validation functions based on expertise concentration rather than reporting-line separation for its own sake, and may reduce examination friction in cases where a highly qualified developer conducts rigorous, well-documented validation work.
Revised Model Implementation as Separate Category Eliminated — Merged into Development ◆ Medium
SR 11-7 · April 2011
Section IV titled: "Model Development, Implementation, and Use." Separate discussion of "Model Development and Implementation" as a subsection with distinct requirements around embedding models in information systems, data flow management, controls, and testing of system integration. Treated implementation as a discrete, high-risk stage.
OCC Bulletin 2026-13 · April 2026
Section IV titled: "Model Development and Model Use." Implementation-specific requirements folded into development. No separate implementation subsection. Emphasis shifts from system-embedding mechanics to alignment with model purpose and business use, and on collaborative engagement between developers and users.
Policy Significance
The removal of implementation as a distinct stage reflects the evolution of model deployment infrastructure. In 2011, embedding a model in bank systems was a significant technical project with distinct risk—custom integration code, data pipeline construction, and IT-system embedding were the dominant deployment activities. Modern API-based, cloud-deployed, and vendor-hosted models make the development/implementation boundary far less clear; most institutions no longer "implement" models in the 2011 sense but instead consume them via SaaS endpoints or managed services. The 2026 guidance's consolidation reflects this reality. It also shifts focus from IT integration risk to conceptual alignment risk—ensuring models are used for their intended purpose, which is the more prevalent failure mode in contemporary model deployments.
Revised Effective Challenge — Retained but Streamlined; Influence Requirement Softened ◆ Medium
SR 11-7 · April 2011
Effective challenge defined as "critical analysis by objective, informed parties" requiring three elements: incentives (separation, compensation practices), competence (technical expertise), and influence (explicit authority, stature, management commitment). Influence described as requiring "explicit authority" and "commitment and support from higher levels of management."
OCC Bulletin 2026-13 · April 2026
Effective challenge defined as "critical analysis conducted by objective experts" throughout the model lifecycle. Requires appropriate expertise, sufficient independence to maintain objectivity, and organizational standing and influence to effect any change. Incentives/compensation framework removed. Three-part taxonomy collapsed into a single sentence.
Policy Significance
The simplification of effective challenge removes the prescriptive three-part framework without eliminating the core concept. The removal of explicit incentive/compensation language reduces the examination hook for challenging MRM compensation structures. The retention of "organizational standing and influence" preserves the substance of the influence requirement while dropping the specific mechanics. The shift from "objective, informed parties" to "objective experts" elevates the technical bar while loosening the independence requirement—consistent with the broader move away from organizational-structure-as-independence.
Revised Aggregate Model Risk — More Explicit Articulation with Portfolio-Level Framing ◆ Medium
SR 11-7 · April 2011
Aggregate model risk addressed through: "Aggregate model risk is affected by interaction and dependencies among models; reliance on common assumptions, data, or methodologies; and any other factors that could adversely affect several models and their outputs at the same time." Discussed in context of risk management generally.
OCC Bulletin 2026-13 · April 2026
Sound practice explicitly involves assessing model risk both individually and in aggregate. Aggregate risk language retained and slightly refined: "reflects interactions and dependencies among models; reliance on common assumptions, data, or methodologies; and any other factors that could adversely affect several models and their outputs simultaneously." Model inventory explicitly supports aggregate-level assessment.
Policy Significance
The explicit "individually and in aggregate" formulation elevates aggregate risk assessment as a standalone requirement rather than an embedded consideration. This is practically significant as institutions deploy suites of interconnected AI and ML models that feed each other's outputs—aggregate risk from correlated model failures is a genuine systemic concern. The explicit linkage to model inventory (which must support both individual and aggregate assessment) creates an operational connection between inventory management and enterprise risk assessment.
Revised Internal Audit Role — Explicitly Bounded to Evaluating MRM Practices, Not Performing Them ◆ Medium
SR 11-7 · April 2011
Internal audit discussed as a governance mechanism but no explicit prohibition on IA performing model development or validation. Governance section discussed IA role in broader terms of oversight without clearly delineating what IA should not do. Ambiguity led to varying practices across institutions.
OCC Bulletin 2026-13 · April 2026
"Internal audit would generally not duplicate model risk management activities such as model development or validation. Instead, internal audit's role is generally to evaluate whether the model risk management practices are rigorous and effective and whether related policies are implemented accordingly."
Policy Significance
This delineation is consistent with—and reinforces—the Federal Reserve's Updated Statement of Supervisory Operating Principles (April 21, 2026, signed by Director Randy Guynn and Acting Deputy Director Julie Williams), which directs Board and Reserve Bank supervisory staff to rely on an institution's internal audit function for MRA/MRIA remediation validation rather than performing duplicative reviews (unless IA is determined to be ineffective, absent, or has not validated the remediation). The 2026 MRM guidance places IA in the corresponding role on the front end: evaluating MRM governance rather than performing validation itself. Taken together, the two documents create a consistent supervisory posture across the Fed's supervisory process and the interagency MRM expectations—IA is positioned as a fourth-line evaluator, not as a second-line backstop validator. For institutions where IA has historically filled validation gaps when the formal validation function is under-resourced, this signals that the practice is no longer expected and may reduce examination pressure to use IA as a compensating control.
Revised Pre-Use Validation Timing — Urgent Business Need Exception Formalized ◆ Medium
SR 11-7 · April 2011
Stated that "if it is not feasible to conduct necessary validation activities prior to model use because of data paucity or other limitations, that fact should be documented." Required compensating controls and communication to users, senior management. Framed as exception due to data/feasibility constraints only—not business urgency.
OCC Bulletin 2026-13 · April 2026
Validation generally occurs prior to first use. However, "certain circumstances (e.g., an urgent business need) may necessitate using the model before validation is completed." Sound practice in such cases: greater attention to limitations, informing relevant stakeholders, and appropriate controls (e.g., placing limits on model use or more closely monitoring its performance).
Policy Significance
SR 11-7 only contemplated pre-use validation deferral for technical/data reasons. The explicit addition of "urgent business need" as a recognized exception reflects the pace of modern model deployment. Rapid product launches, competitive pressure, and market windows create scenarios where institutions deploy models before validation is complete. Formalizing this exception—with appropriate guardrails—provides a regulatory safe harbor for good-faith urgent deployments that previously operated in a gray zone under SR 11-7.
New Model Inventory — Explicitly Required as Common Industry Practice ◆ Medium
SR 11-7 · April 2011
Model inventory not specifically called out as a standalone governance requirement. Implied through general governance and controls discussion. Institutions maintained inventories as a practical matter but no explicit standard was articulated in the guidance text.
OCC Bulletin 2026-13 · April 2026
"It is common industry practice for banking organizations to maintain a comprehensive set of information for models under development or in use." Inventory must contain sufficient information to understand model risks and support effective model risk management at the individual and aggregate levels. Varying levels of detail appropriate to reflect different model complexity.
Policy Significance
Codifying the model inventory as an explicit standard, while labeling it "common industry practice" rather than a prescriptive requirement, achieves a middle ground: institutions that lack inventories cannot claim SR 11-7 ambiguity as cover, while the non-enforceable framing limits mechanical examination citations. The explicit linkage of inventory requirements to both individual and aggregate risk management is operationally significant—it means inventory content must support enterprise-level risk assessment, not just individual model tracking.
AI-Specific Traditional ML / Non-Generative AI Confirmed In-Scope; Interpretability Recognized ▲ High
SR 11-7 · April 2011
No AI/ML-specific provisions. Conceptual soundness validation required review of "documented evidence in support of all model choices, including the overall theoretical construction." Standard assumed model mechanics were interpretable through conventional statistical theory. No recognition that some models resist theoretical explanation.
OCC Bulletin 2026-13 · April 2026
Principles apply to traditional statistical and quantitative models and non-generative, non-agentic AI models. Conceptual soundness validation now acknowledges that while evaluating theoretical construction may be important for some models, other assessments—such as interpretability measures or benchmarking to other models—may be more practical for others.
Policy Significance
This provision resolves the longstanding tension between SR 11-7's theory-centric validation framework and black-box ML model deployment. SR 11-7 required validation to assess "overall theoretical construction"—a standard that many ML models (random forests, gradient boosting, neural networks) cannot satisfy in the same way as linear regression. The explicit acknowledgment that interpretability measures and benchmarking may substitute for theoretical construction assessment provides a validation pathway for ML models without requiring a theoretical framework that may not exist. This is a significant accommodation to modern modeling practice.
Revised Conceptual Soundness Validation — Alternatives to Theory Assessment Permitted ◆ Medium
SR 11-7 · April 2011
Conceptual soundness: "assessing the quality of the model design and construction… review of documentation and empirical evidence supporting the methods used… ensuring judgment exercised in model design is consistent with published research and with sound industry practice." Heavily theory- and literature-grounded. Required developmental evidence and consistent with published research.
OCC Bulletin 2026-13 · April 2026
"Validating conceptual soundness involves assessing and documenting model design (including key modeling choices, assumptions, qualitative judgments, and data selection), construction, and developmental testing. While evaluating theoretical construction may be important for some models, other assessments—such as interpretability measures or benchmarking to other models—may be more practical for other models."
Policy Significance
The shift from a uniform theory-assessment standard to a model-appropriate assessment framework reflects the proliferation of ML and proprietary vendor models. The acknowledgment that benchmarking and interpretability tools may substitute for theoretical construction review is especially significant for vendor model validation—a persistent pain point where SR 11-7's theoretical review standard was difficult to satisfy without access to underlying model code. The 2026 guidance provides examination cover for rigorous benchmarking-based validation in lieu of source-code review.
Removed Detailed Conservatism Guidance — Capital Buffer and Adjustment Framework Dropped ◆ Medium
SR 11-7 · April 2011
Extensive guidance on conservatism: banks should "explicitly adjust model inputs or calculations to produce more severe or adverse model output"; warned that conservatism must be demonstrated, not just claimed; required sensitivity analysis or stress testing to substantiate conservative claims; noted that banks may "hold an additional cushion of capital to protect against potential losses associated with model risk." Warning against excessive conservatism discouraging model improvement.
OCC Bulletin 2026-13 · April 2026
No equivalent conservatism framework. References to model limitations, overlays, and adjustments retained in context of ongoing monitoring, but the detailed prescriptive guidance on how to demonstrate conservatism, use capital buffers, and avoid false conservatism claims is entirely removed.
Policy Significance
The conservatism framework in SR 11-7 was designed for the post-2008 crisis environment, where underestimation of tail risk was the dominant failure mode. Its removal reflects both the shift toward risk-based proportionality and a concern that the prescriptive conservatism framework had become a mechanism for mechanical criticism of model outputs rather than a genuine risk management tool.

The removal is also consistent with the broader 2026 supervisory posture under Vice Chair for Supervision Bowman, Treasury Secretary Bessent, and FDIC Chairman Hill, which has moved away from prudential conservatism as a default supervisory orientation toward a more empirically calibrated approach (see, e.g., Secretary Bessent's March 2026 Treasury liquidity-regulation remarks and the broader move toward risk-based capital and liquidity calibration). Read alongside the broader pattern, the conservatism removal is policy signaling, not mere streamlining. Examiners will likely have a higher evidentiary bar to challenge model output calibration on conservatism grounds absent a specific showing of inaccuracy or material risk.
Removed Prescriptive Report Design Requirements — "Clear and Comprehensible" Standard Dropped ● Low
SR 11-7 · April 2011
Specific guidance on reports: "Reports used for business decisionmaking play a critical role in model risk management. Such reports should be clear and comprehensible and take into account the fact that decision makers and modelers often come from quite different backgrounds and may interpret the contents in different ways." Also required reports to provide range of estimates for scenarios.
OCC Bulletin 2026-13 · April 2026
Documentation section covers: supporting continuity of operations, tracking recommendations, responses and exceptions, managing model remediation. General documentation adequacy standard retained but the specific report design requirements for business decision-makers are not reproduced.
Policy Significance
Modest impact. The removal of the specific reporting communication standard simplifies the guidance without materially changing practical requirements. Documentation requirements broadly cover what SR 11-7's reporting section addressed. The focus shifts from communication design to operational documentation utility.
Removed Section VII Conclusion — Eliminated from Document Structure ● Low
SR 11-7 · April 2011
Seven sections including a formal Section VII Conclusion that summarized key themes and reiterated the importance of model risk management as a comprehensive discipline integrated across the institution.
OCC Bulletin 2026-13 · April 2026
Seven sections (Introduction through Vendor/Third-Party), no conclusion. Guidance ends with vendor model risk management discussion. Structural streamlining consistent with the overall move toward a more concise document.
Policy Significance
Stylistic rather than substantive. The conclusion's removal reflects the overall move toward a leaner, more operational document. SR 11-7's conclusion was primarily summary material; its absence does not affect substantive guidance.
New Developer–User Constructive Engagement — Elevated as a Positive Practice ● Low
SR 11-7 · April 2011
User challenge treated with significant skepticism: described as often "weak," "not comprehensive," and "asymmetric." Users "less likely to challenge an outcome that results in an advantage for them." Model risk was "not low simply because outcomes appear favorable." Nature and motivation of user input should be "evaluated carefully."
OCC Bulletin 2026-13 · April 2026
"Input from model users can enhance model development by providing business context and practical insights." "Constructive engagement around model design and assumptions strengthens both model understanding and model quality." Business managers "may raise questions about the methods or assumptions, particularly when the outcomes are unexpected"—framed positively.
Policy Significance
SR 11-7's skeptical treatment of model user input reflected post-crisis concerns about business-line pressure on model assumptions (e.g., mortgage prepayment, credit loss calibration) that contributed to pre-2008 losses. The 2026 guidance's more positive framing of user-developer engagement reflects a shift toward collaborative model development practices, particularly relevant for modern ML and AI models where business context is essential to defining appropriate use cases and output interpretation. The risk remains that user influence could compromise model integrity, but the guidance now treats this as a governance matter rather than a structural suspicion.
Removed BSA/AML-Specific MRM Framework Rescinded — Folded Back into General MRM ▲ High
Pre-2026 Framework
OCC Bulletin 2021-19 / SR 21-8 / FDIC FIL-22-2021 — 2021 Interagency Statement on Model Risk Management for Bank Systems Supporting BSA/AML Compliance. Provided BSA/AML-specific framing on the application of MRM principles to transaction monitoring, sanctions screening, and SAR-related models, and clarified that MRM principles "may be appropriate considerations" but did not require any specific MRM framework for BSA/AML systems. Also rescinded: OCC Bulletin 1997-24 (Credit Scoring Models examination guidance) and the Model Risk Management booklet of the Comptroller's Handbook.
OCC Bulletin 2026-13 · April 2026
All three rescinded; the BSA/AML, credit scoring, and Comptroller's Handbook treatments are folded back into general MRM principles. Bulletin 2026-13 contains no BSA/AML-specific provisions, no credit-scoring-specific provisions, and no consumer-finance carve-outs. Institutions are expected to apply the materiality framework (Card ⑤) to determine appropriate MRM rigor across all model use cases, including AML transaction monitoring, sanctions screening, and credit scoring.
Policy Significance
The rescission of the 2021 BSA/AML interagency statement is the most operationally important rescission beyond SR 11-7 itself, and is not adequately surfaced in agency press materials. Three concrete consequences:

(1) AML model governance loses its dedicated supervisory framing. Sanctions screening, transaction monitoring, and SAR analytic models now fall under general MRM principles, with the materiality framework determining rigor. For most institutions, AML models will likely be designated high-purpose / high-materiality and remain subject to robust validation—but institutions now have policy cover for tiering low-impact AML analytics that previously operated under blanket SR 21-8 expectations.

(2) The credit scoring rescission (OCC 1997-24) eliminates a separate examination posture for credit scoring models that predates SR 11-7 and was still occasionally cited by examiners. Credit scoring models are now treated as standard models subject to the general framework, which is consistent with how the industry has treated them for over a decade.

(3) The Comptroller's Handbook MRM booklet rescission removes an examiner-facing operational document. Examiners will likely rely more heavily on Bulletin 2026-13 itself plus internal examination procedures rather than a separate Handbook treatment, increasing the importance of how the new bulletin is operationalized in examiner training and on-the-ground examination practice.
AI-Specific Examination Consequences of the GenAI Carve-Out — Unsafe/Unsound Posture Persists ▲ High
SR 11-7 · April 2011
N/A — predates generative AI deployment in banking.
OCC Bulletin 2026-13 · April 2026
The carve-out (Card ④) removes GenAI from the MRM citation framework but does not remove it from examination scope. Footnote 1's preserved unsafe/unsound carve-out, the agencies' general supervisory authorities, and consumer-protection regulations (ECOA, FCRA, UDAAP) continue to apply to GenAI deployments regardless of MRM scope.
Policy Significance
The practical examination posture for institutions deploying GenAI is now: no specific MRM standard to comply with, but full exposure to unsafe-or-unsound criticism, fair-lending review, and enterprise risk management standards. This is more, not less, ambiguous than SR 11-7 — institutions know what to do (something), but not what compliance looks like.

Three immediate operational implications: (1) Institutions deploying LLMs for credit analysis, BSA/AML screening, or customer-facing functions should expect examiner inquiry under general safety-and-soundness authority, framed around governance adequacy rather than specific MRM standards. (2) Consumer-protection intersections (adverse action notices generated by LLMs, GenAI used in marketing segmentation) likely require validation-like discipline under ECOA/Regulation B regardless of MRM citation authority. (3) Institutions should document their reliance on non-agency frameworks (NIST AI RMF 1.0, ISO/IEC 42001, internal AI governance) as the de facto control structure during the RFI window, both to demonstrate good-faith governance and to position themselves for the comment process.
About this analysis
Significance ratings reflect the analyst's judgment of three factors: scope of affected institutions (how many institutions are practically affected), operational/structural impact (how meaningfully an institution's MRM program must change), and examination impact (how examination practice is likely to shift). High = all three; Medium = two of three; Low = primarily stylistic or limited-scope. Source text is taken from OCC Bulletin 2026-13 (April 17, 2026) and SR 11-7 (April 4, 2011). This tool is an interpretive analytical aid, not a substitute for primary-source review or legal counsel.

Primary sources. OCC Bulletin 2026-13, "Model Risk Management: Revised Guidance" (Apr 17, 2026) · Federal Reserve SR 26-2 · FDIC FIL-15-2026 · OCC News Release 2026-29. Rescinds OCC 2011-12 / SR 11-7, FDIC FIL-22-2017, the 2021 BSA/AML statement (SR 21-8 / OCC 2021-19 / FIL-27-2021), OCC Bulletin 1997-24 (Credit Scoring Models), and the Comptroller's Handbook MRM booklet. A joint Fed/FDIC/OCC RFI on MRM and AI (generative + agentic) is forthcoming.

Secondary synthesis from Davis Polk, Sullivan & Cromwell, Orrick, and Schneider Downs. Compiled for BankRegWire · Model Risk Desk · current as of June 1, 2026. Informational comparison, not legal advice.