Summary
On April 17, 2026, the OCC, Federal Reserve, and FDIC (collectively, the “Agencies”) issued revised supervisory guidance on model risk management (the “Revised Guidance”).[1] The Revised Guidance supersedes the Agencies’ previous supervisory guidance on model risk management (the “Original Guidance”), which had been issued in 2011.[2] The Revised Guidance also supersedes the 2021 Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance (the “BSA/AML Statement”), as well as certain additional OCC-specific guidance.[3]
The Revised Guidance represents a shift toward a more flexible, principles-based approach to model risk management. Key changes include:
- A narrower definition of “model” as compared to the Original Guidance;
- Explicit exclusion of generative and agentic artificial intelligence (“AI”) models from the guidance’s scope;
- Adoption of a new $30 billion asset threshold for applicability;
- Provision of greater clarity regarding how banking organizations may assess model materiality and calibrate their model risk management practices in light of materiality determinations;
- Inclusion of an explicit disclaimer that departure from the guidance may not by itself give rise to supervisory criticism; and
- Streamlined expectations for how banking organizations should approach validation of vendor and third-party models.
Background
Original Guidance
The OCC and Federal Reserve jointly issued the Original Guidance in 2011, in response to the increasing use of models by banks—a trend driven in part by changes to the regulatory capital rules for market, credit, and operational risk that had recently been adopted.[4] The Original Guidance set out comprehensive expectations for model risk management, addressing model development, implementation, and use; model validation; and associated governance, policies, and controls.
The FDIC adopted the Original Guidance in 2017, with certain conforming changes. Most notably, the FDIC indicated that the guidance was not expected to apply to institutions with under $1 billion in total assets unless the institution’s model use was significant, complex, or posed elevated risk to the institution.[5]
BSA/AML Statement
In 2021, the Agencies jointly issued the BSA/AML Statement to address how the risk management principles detailed in the Original Guidance relate to the systems and models that banks use to comply with Bank Secrecy Act (“BSA”) and anti-money laundering (“AML”) obligations.[6]
Scope of Revised Guidance
Definition of Model
The Revised Guidance modifies the definition of “model” from the Original Guidance, which had defined “model” broadly as a “quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.”[7] This definition, combined with examples of model functions that included “informing business decisions,” “measuring compliance with internal limits,” and “meeting financial or regulatory reporting requirements,” could be read to encompass a wide range of quantitative tools.
The BSA/AML Statement provided some additional clarification in the BSA/AML context, noting that the determination of whether a BSA/AML system constitutes a model is bank-specific. The BSA/AML Statement also indicated that stand-alone, simple tools used to flag transactions based on a single factor and systems used to aggregate cash transactions at bank branches for purposes of filing Currency Transaction Reports would not be considered models.[8]
The Revised Guidance narrows the Original Guidance’s expansive definition of “model.” A “model” is now defined as “a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input into quantitative estimates.”[9] Significantly, the Revised Guidance specifies that this definition excludes “simple arithmetic calculations, such as those found within spreadsheets, as well as deterministic rule-based processes and software where there are no statistical, economic, or financial theories underpinning their design or use.”
This narrower definition appears intended to reduce the number of systems subject to the guidance’s model risk management expectations and provide clarity to banking organizations that had been uncertain about whether certain quantitative tools triggered full compliance obligations.
Exclusion of Generative and Agentic AI Models
The Original Guidance predated the advent of generative AI models. The Revised Guidance explicitly excludes generative and agentic AI models from its scope, on the basis that these technologies are “novel and rapidly evolving.”[10] However, the Revised Guidance confirms that it does apply to both traditional statistical and quantitative models and non-generative, non-agentic AI models. The Revised Guidance recommends that banking organizations should apply their broader risk management and governance practices to guide the determination of the appropriate governance and controls to be applied to any tools, processes, or systems not covered by the Revised Guidance, including generative and agentic AI models. These tools are thus not exempted from risk management and governance expectations, but rather, are subject to the risk management and governance expectations that apply to banking organizations in general. As noted below, the OCC’s press release announcing the Revised Guidance stated that the Agencies are planning to issue a request for information on model risk management that considers banks’ use of AI, including generative and agentic AI and AI-based models.
Applicability Threshold
The OCC and Federal Reserve did not adopt any asset-based applicability threshold in the Original Guidance; as noted above, the FDIC adopted the Original Guidance in 2017 with certain modifications, including the specification of a $1 billion threshold (with the proviso that the guidance would still apply to institutions with significant or complex model use even if below the $1 billion threshold). The Revised Guidance introduces a uniform $30 billion threshold across all three agencies, stating that it is “expected to be most relevant to banking organizations with over $30 billion in total assets.”[11] The Revised Guidance notes, however, that it may also be relevant to smaller institutions “that have significant exposure to model risk because of the prevalence and complexity of their models or because of activities outside the scope of traditional community banking.”
Other Substantive Changes in Revised Guidance
Emphasis on Materiality
The Original Guidance discussed “materiality” as an “important consideration” in model risk management, noting that banking organizations with less pervasive model use (and for which model risk therefore poses more limited potential to affect financial condition) may not need “as complex an approach to model risk management in order to meet supervisory expectations.”[12] The BSA/AML Statement similarly acknowledged that “[c]onsistent with a risk-based approach, the rigor and sophistication of sound risk management practices are generally commensurate with [a banking organization’s] overall use of models, the complexity and materiality of its models, and the size and complexity of the [banking organization’s] operations.”[13] Neither document, however, provided a framework for assessing materiality or calibrating risk management approach based on that assessment.
The Revised Guidance fills this gap. It establishes that “[m]odel purpose, together with model exposure, determines model materiality.”[14] Model exposure “refers to the significance of the model output to a banking organization’s business decisions, which tends to be greater for models affecting larger portfolios or having a larger business impact.” The Revised Guidance notes that model exposure “can be quantitatively measured (e.g., by portfolio size).” Model purpose “is a qualitative consideration that involves the nature and importance of the models used by banking organizations.” The Revised Guidance observes that “models developed to help meet regulatory requirements are generally considered to be of greater risk than models that are not used for such purposes.”
Under this framework for assessing materiality, banking organizations may determine that certain models are immaterial based on their purpose and associated model exposure. For models determined to be immaterial on this basis, appropriate model risk management “may consist of identifying those models and monitoring model performance and conditions under which the use of those models may become material to the banking organization in the future.” By contrast, models that are assessed to have higher materiality, may “warrant more comprehensive and rigorous oversight.” This tiered approach is intended to permit banking organizations to allocate their model oversight resources more efficiently.
Principles-Based Approach
The Original Guidance included highly specific directions as to how a banking organization should manage the risks posed by its use of models. For example, it required banking organizations to review or validate each model “at least annually.” It emphasized the importance of validator independence and suggested specific mechanisms to promote independence in the performance of this function internally—such as tying compensation to “the quality of model validations and the degree of critical, unbiased review.”[15] The Original Guidance also prescribed responsibilities for boards and senior management with regard to model risk management. For example, the Original Guidance required banks’ boards and senior management to establish a bank-wide approach to model risk management, including by establishing a model risk management framework that fits into the broader risk of the organization. The Original Guidance directed a bank’s “board or its delegates” to “approve model risk management policies and review them annually to ensure consistent and rigorous practices across the organization,” and stated that “[f]indings from internal audit related to models should be documented and reported to the board or its appropriately delegated agent.”
The Revised Guidance takes a more principles-based approach, specifying in less detail the specific manner in which a banking organization should carry out model risk management. For instance, it contains no required model validation cadence. It streamlines the Original Guidance’s extensive discussion of independence, noting simply that “[e]ffective challenge is performed by individuals with…sufficient independence to maintain objectivity.”[16] The Revised Guidance replaces specific board and management responsibilities (e.g., annual approval of model risk management policies) with the general observation that “[m]odel risk management benefits from clear roles and responsibilities with well-defined accountability.” The result is a framework that affords banking organizations considerable discretion in designing their model risk management programs, and may be understood to validate the continued use by banking organizations of previously adopted tailored, risk-based model risk management frameworks.
Enforceability
Although the Original Guidance was supervisory guidance, and therefore was formally nonbinding, it did not contain any acknowledgement of its unenforceable status. It tied various provisions to “supervisory expectations,” creating ambiguity about how supervisors would evaluate non-compliance with the guidance.[17] However, the BSA/AML Statement later clarified that the Original Guidance was “nonbinding.”[18] The Revised Guidance goes further, explicitly stating that it “does not set forth enforceable standards or prescriptive requirements” and that “non-compliance with this guidance will not result in supervisory criticism against a banking organization.”[19] This language should provide banking organizations with greater confidence that departures from the guidance, where supported by a sound risk-based rationale, will not trigger adverse supervisory findings.
Vendor and Third-Party Models
The Original Guidance included a detailed discussion of expectations for how a banking organization should validate their use of a vendor or third-party model product, including requirements to obtain developmental evidence from vendors, conduct independent validation, and maintain contingency plans for vendor disruptions. These expectations were largely reiterated in the BSA/AML Statement with respect to models used for BSA/AML functions. The Revised Guidance takes a lighter touch. For instance, it acknowledges that proprietary components of vendor models may limit a banking organization’s visibility into those models. The Revised Guidance identifies “sound practice” with respect to validation of vendor models as “developing an understanding of the model” and conducting ongoing monitoring and outcome analysis.[20] Notably, the Revised Guidance does not explicitly require contingency plans for vendor models, a change that may provide some operational flexibility but warrants careful consideration by banking organizations with significant dependencies on third-party models.
Implications
The Revised Guidance represents a meaningful recalibration of supervisory expectations for model risk management. By narrowing the definition of “model,” introducing a materiality-based framework, and explicitly disclaiming enforceability, the Agencies have signaled a more flexible approach that should reduce compliance burden. Banking organizations should nonetheless maintain appropriate protections against model risk commensurate with their risk profiles.
Importantly, the OCC’s announcement of the Revised Guidance noted that “[t]he agencies will continue to consider additional measures to address model risk management consistent with broader supervisory and other goals.” Specifically, as noted above, the OCC release notes that “the agencies plan to issue in the near future a request for information that addresses model risk management generally and considers, in particular, banks’ use of AI, including generative AI and agentic AI and AI-based models.”
[1] Press Release, OCC, Agencies Issue Revised Model Risk Guidance (Apr. 17, 2026) [hereinafter “OCC Press Release”], https://www.fdic.gov/news/press-releases/2026/agencies-issue-revised-model-risk-guidance; Federal Reserve Board, SR 26-2, Revised Guidance on Model Risk Management (Apr. 17, 2026) [hereinafter “SR 26-2”], https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm; Federal Reserve, FDIC, OCC, SR 26-2 Attachment, Supervisory Guidance on Model Risk Management (Apr. 17, 2026) [hereinafter “Revised Guidance”], https://www.federalreserve.gov/supervisionreg/srletters/SR2602a1.pdf; Press Release, FDIC, Agencies Issue Revised Model Risk Guidance (Apr. 17, 2026),https://www.fdic.gov/news/press-releases/2026/agencies-issue-revised-model-risk-guidance. Although the Revised Guidance, like the Original Guidance has been adopted in final form without undergoing prior notice and comment, the Federal Reserve did announce that banking organizations may provide any feedback or send questions via its public website.
[2] For the Original Guidance, see Federal Reserve, SR 11-7, Guidance on Model Risk Management (Apr. 4, 2011) [hereinafter “SR 11-7”], https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf; Federal Reserve & OCC, SR 11-7 Attachment, Supervisory Guidance on Model Risk Management (Apr. 4, 2011) [hereinafter “Original Guidance”], https://www.federalreserve.gov/boarddocs/srletters/2011/sr1107a1.pdf; FDIC, FIL-22-2017, Adoption of Supervisory Guidance on Model Risk Management (June 7, 2017) [hereinafter “FIL-22-2017”], https://www.fdic.gov/news/inactive-financial-institution-letters/2017/adoption-supervisory-guidance-model-risk-management-revised#continuation.
[3] See Federal Reserve, FDIC, OCC, Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance (Apr. 9, 2021) [hereinafter “BSA/AML Statement”], https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20210409a2.pdf. The OCC also rescinded: the “Model Risk Management” booklet of the Comptroller’s Handbook; OCC Bulletin 1997-24, Credit Scoring Models: Examination Guidance, including the Appendix, Safety and Soundness and Compliance Issues on Credit Scoring Models; OCC Bulletin 2011-12, Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management; and OCC Bulletin 2021-19, Bank Secrecy Act/Anti-Money Laundering: Interagency Statement on Model Risk Management for Bank Systems Supporting BSA/AML Compliance and Request for Information. OCC Press Release.
[4] See SR 11-7, at 1 n.1.
[6] BSA/AML Statement, at 1.
[7] Original Guidance, at 3. The Original Guidance further stated that a “model consists of three components: an information input component, which delivers assumptions and data to the model; a processing component, which transforms inputs into estimates; and a reporting component, which translates the estimates into useful business information.” The Original Guidance underscored that the definition of an in-scope model “also covers quantitative approaches whose inputs are partially or wholly qualitative or based on expert judgment, provided that the output is quantitative in nature.” Id.
[8] BSA/AML Statement, at 3.
[9] Revised Guidance, at 3 (emphasis added).
[12] Original Guidance, at 5.
[13] BSA/AML Statement, at 2.
[14] Revised Guidance, at 4.
[15] Original Guidance, at 9. The BSA/AML Statement similarly emphasized the importance of independence, though it also emphasized that “there is no requirement that a [banking organization] perform duplicative independent testing activities.” BSA/AML Statement, at 4.
[16] Revised Guidance, at 5.
[17] E.g., Original Guidance, at 2, 5, 17.
[18] BSA/AML Statement, at 3.
[19] Revised Guidance, at 2. In keeping with generally applicable background law, including the Agencies’ codified statements regarding the role of supervisory guidance (see 12 C.F.R. Part 4, Subpart F, Appendix A (OCC); 12 C.F.R. Part 262, Appendix A (Board); 12 C.F.R. Part 302, Appendix A (FDIC)), the Revised Guidance observes in a footnote that “supervisory action may result for any violations of law or unsafe or unsound practices stemming from insufficient management of model risk.”
[20] Revised Guidance at 11–12.