The Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), and FDIC (the agencies) released Revised Guidance on Model Risk Management (MRM), updating their long-standing guidance on MRM. These revisions reflect the agencies’ continuing emphasis on tailoring requirements to fit an institution’s size, complexity, and risk exposure, while ensuring that controls are appropriate and effective for the institution’s particular profile.
The agencies stated that the revisions were designed to reflect supervisory experience, including advancements in model practices and industry feedback since the initial guidance was issued in 2011. The updated guidance, referred to herein by the FRB’s designation as SR 26-2, refines and supersedes the agencies’ legacy MRM framework, including SR 11-7, SR 21-8, and related OCC1 and FDIC2 guidance. Notably, the rescission of SR 21-8 removes the Bank Secrecy Act/anti-money laundering (BSA/AML)-specific MRM statement without a standalone replacement, meaning BSA/AML models are now governed by the general framework.
The updated guidance tailors MRM to a risk-based, principles-driven approach while clarifying expectations for institutions of different sizes and complexity. Unlike the prior guidance, which was more prescriptive, SR 26-2 provides flexibility and emphasizes proportionality based on an institution’s risk profile and model materiality. The revised MRM guidance is less of a rewrite and more of a refocus.
While the revised guidance allows for the scaling of expectations based on an institution’s risk profile and model materiality, excessive scaling back or insufficient risk management can expose an institution to unnecessary risks and weaken its governance framework. Regardless of the level of regulatory oversight, senior leadership and risk professionals should ensure that model risk governance remains robust, especially where models may materially affect decision making or where poor model performance could subject the institution to substantial risks.
What’s Changed With Interagency MRM Guidance?
Scope & Tailoring
The agencies stated that the guidance is expected to be most relevant to institutions with over $30 billion in total assets. The agencies note that models used by institutions with total assets of $30 billion or less remain subject to internal risk management and governance practices appropriate for the size and risk profile of these institutions, and, as such, can generally be excluded from the specificities of the MRM guidance. While the guidance may be less relevant to smaller institutions, internal risk management and governance practices should nonetheless remain sufficiently robust as the core principles of prudent risk management, including those related to MRM, still remain. As such, even without being examined to the standards of SR 26-2, institutions may find it advantageous to apply similar standards to high- or moderate-risk models, especially where the model’s usage or complexity could create significant risk exposure. Smaller institutions may choose to remove some low-risk models from the inventory based on the new definitions in SR 26-2 and either not validate or extend the validation cycle for these low-risk models by enhancing the ongoing monitoring program.
Model Definition & Materiality
The agencies define a model as a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates. This new definition of a model excludes simple arithmetic calculations, such as those found within most spreadsheets, as well as deterministic rule-based processes and software where there are no statistical, economic, or financial theories. It is important to note that the agencies have excluded generative and agentic artificial intelligence (AI) models from the scope of SR 26-2, which, for the time being, excludes them from the MRM guidance. However, the principles described in the guidance would still apply to traditional statistical and quantitative models, as well as predictive AI models that are non-generative and non-agentic.
The guidance also introduces model materiality, which an institution would assess based on the model’s purpose and use. Higher materiality models would require more rigorous and comprehensive oversight, while lower materiality models warrant lighter governance focused on identification and monitoring to detect when changes in use or exposure may elevate their materiality over time.
Lifecycle & Proportionality
The guidance establishes a lifecycle framework, model development and use, validation and monitoring, governance and controls, and vendor and third-party considerations. It emphasizes that the rigor applied at each stage should be commensurate with model materiality and inherent risk of the model. Further, the agencies emphasize that institutions’ broader risk management and governance practices should guide the appropriate level of controls for tools and systems not covered by the guidance.
Validation Frequency
The guidance allows institutions to set validation frequency based on model materiality and risk. Model validation should generally occur prior to the model’s first use, but certain circumstances may require the use of the model prior to a validation being completed. In those instances, greater attention to the model’s limitations should be considered when assessing its use.
Supervisory View
The guidance provides a tailored approach to MRM for banks that is proportionate to their asset size, operational complexity, and the materiality of their models. It does not establish enforceable standards or prescriptive requirements. Further, non-compliance alone will not result in supervisory criticism against the institution. However, supervisory action may result from any violations of law or unsafe or unsound practices that are a result of insufficient MRM.
Vendor Models
Recent advances in technology, data availability, and AI have driven a significant expansion in the use of vendor-provided models across banking organizations. The use of vendor and third-party models introduces unique challenges for validation and broader MRM activities, particularly where proprietary components limit access to underlying code, data, or methodology. Nevertheless, the principles of MRM remain applicable and require that institutions develop a clear understanding of model design, conceptual soundness, development data, and performance. Sound practices also include ongoing monitoring and outcome analysis to ensure that models remain accurate, fit for purpose, and reliable, along with documenting, justifying, and evaluating any customizations made to the model.
What Are the Implications for Community Banks?
As previously noted, the agencies emphasize that SR 26-2 is primarily aimed at larger, more complex institutions and that examiners should exercise caution before applying the full scope of the guidance to smaller banks. The guidance is intentionally principles-based and serves as a benchmark for community banks that rely on models with meaningful exposure. Community banks should not interpret the lower-touch supervisory posture as a means to eliminate important controls. Instead, management should adopt proportionate, documented practices that reflect the materiality of models and the potential impact on safety and soundness. Even without being examined to the standards contained in the guidance, community banks may still find it advantageous to apply robust standards to high- or moderate-risk models, especially where the model’s usage or complexity creates significant exposure.
Practical Steps for Institutions
The steps below translate SR 26-2’s principles into actions institutions can implement to help reduce exposure and demonstrate sound governance.
- Maintain a Clear Model Inventory. A model inventory should capture core model attributes (purpose, ownership, inputs/outputs, and assumptions) alongside risk and governance elements such as materiality, validation status, monitoring, and limitations. Under SR 26-2, the inventory serves as the central tool for risk-tiering models and aligning validation and oversight with model use and exposure.
- Document Purpose, Assumptions, & Limitations. Clear documentation supports appropriate use, enables effective challenge, and equips teams for timely remediation when performance diverges from expected results. For each model, model documentation should capture the intended use, key assumptions, data lineage, and known limitations.
- Scale Validation & Monitoring Risk. Implement ongoing monitoring with pre-defined thresholds that trigger review or remediation. A validation should be tailored to the model based on model complexity and materiality. For example, simple models may only need basic reasonableness checks, data quality review, and a strong ongoing monitoring program, while high-risk models may warrant an independent validation that is more robust and covers the conceptual soundness, ongoing monitoring, and outcomes analysis of the model.
- Strengthen Vendor Oversight. Require contractual rights to documentation, testing results, and change notifications; document any vendor customization and include them in validation and monitoring plans; and document compensating controls and enhanced performance monitoring where proprietary constraints limit access.
- Embed Effective Independent Challenge & Escalation. Ensure objective review by qualified, independent personnel and define clear escalation triggers to the board and senior management.
- Plan for Change & Resilience. Adopt version control, change management procedures, and contingency plans. In addition, develop processes to reassess model materiality when business lines, data sources, or vendor relationships change.
SR 26-2 emphasizes that MRM should be integrated in different risk stripes across the organization, including the credit, liquidity, operational, and compliance risk frameworks. In addition to the above, institutions should consider the following cross-cutting points:
- Multiple models that rely on the same data, assumption, or vendor can create potential correlated vulnerabilities. As such, model risk should be assessed at both the individual model and aggregate level across the institution.
- Although generative and agentic AI constructs are outside of the guidance scope, its rapid introduction into institutional processes warrants consideration. Institutions should apply similar lifecycle discipline, including documenting design adequacy, data lineage, and performance, before scaling. Notably, the agencies have signaled intent to issue a forthcoming request for information on AI-specific model risk considerations.
How Forvis Mazars Can Help
The guidance changes how supervisors frame expectations, but not the responsibility to manage model risk in a safe and sound way. SR 26-2 modernizes interagency guidance by refocusing MRM on materiality, proportionality, and lifecycle discipline. Further, institutions have the flexibility to scale, but scaling requires discipline, not departure.
Our Quantitative Consulting and Financial Services Risk & Regulatory Consulting teams help institutions translate SR 26-2’s principles into practice across the full model lifecycle. Whether you are a larger institution recalibrating an existing program or a community bank building proportionate controls, we can help you right-size your approach. Reach out to a professional at Forvis Mazars to start the conversation.