Model‑risk guidance shifts

U.S. bank regulators rewrote model-risk guidance on April 17, replacing a 2011 framework with rules that tell banks to match testing to actual business risk. (federalreserve.gov) The Federal Reserve, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation said the new guidance supersedes SR 11-7 from April 4, 2011, and a separate 2021 statement on Bank Secrecy Act and anti-money-laundering systems. (federalreserve.gov) The agencies said the revision is “risk-based,” tailored to a bank’s model-risk profile and the size and complexity of its operations, rather than a single process applied to every model. (fdic.gov) In plain terms, model-risk management is the process banks use to check whether a pricing, credit, fraud, or stress-testing model is wrong, misused, or producing bad decisions. The 2026 guidance still covers development, use, validation, monitoring, governance, and third-party products. (federalreserve.gov) (occ.treas.gov) The change lands after 15 years of supervisory experience and industry feedback, the Federal Reserve said, as banks expanded model use across more business lines and more complex systems. (federalreserve.gov) The new guidance is expected to matter most for banking organizations with more than $30 billion in assets, though regulators said smaller institutions can still fall under it if their model exposure is significant or unusually complex. (occ.treas.gov) (fdic.gov) Regulators also drew a line around the current artificial-intelligence boom. The OCC said generative artificial intelligence and agentic artificial intelligence models are “novel and rapidly evolving” and are not within the scope of this guidance. (occ.treas.gov) That leaves banks with a narrower immediate message: focus scarce validation staff on the models that can do the most damage if they fail. The revised guidance says practices that fit one bank can be ineffective at another bank with a different risk profile or model use. (federalreserve.gov) The agencies also softened the compliance posture around the document itself. The OCC and FDIC both said the guidance does not create enforceable standards, and non-compliance alone will not trigger supervisory criticism. (occ.treas.gov) (fdic.gov) That language fits a broader governance, risk, and compliance shift described by IDC in a 2025-2026 market assessment, which said buyers are moving from “static control functions” toward a more agile, business-run operating model. (pwc.com) For banks, the practical result is less emphasis on proving every box was checked and more emphasis on showing that testing, monitoring, and governance match the model’s stakes. That is the center of the April 17 rewrite. (federalreserve.gov)