Client Memorandum
April 18, 2026
To: Model Risk Management and Compliance Leadership
From: Kevin D. Oden & Associates
Re: Revised Interagency Supervisory Guidance on Model Risk Management — Summary of Changes and Implications
Executive Summary
On April 17, 2026, the Board of Governors of the Federal Reserve System, the FDIC, and the OCC jointly issued revised supervisory guidance on model risk management, updating the principles that have governed MRM practice since the original SR 11-7 / OCC 2011-12 was released in 2011. The revised bulletin retains the three-pillar architecture of the original guidance — development and use, validation, and governance — but materially changes its regulatory posture, scope, and level of prescriptive detail.
The revised guidance is explicitly principles-based and non-enforceable. It is tailored toward banking organizations with greater than $30 billion in total assets. It narrows the definition of a “model,” and places generative and agentic AI expressly outside its scope. Validation independence is softened from a structural requirement to a principle, and documentation, governance, and third-party sections are substantially condensed.
The practical effect is a lighter, more proportional framework on paper — but underlying safety-and-soundness expectations have not changed. Institutions should expect examiner practice to evolve through 2026 and 2027, and should not interpret the revised bulletin as a license to reduce MRM investment in areas where model risk remains material to the business.
Key Implications for Banking Organizations
Do not over-read the non-enforceability language
Although the agencies have stated that non-compliance with the guidance will not, by itself, result in supervisory criticism, the bulletin preserves the agencies’ authority to act where insufficient model risk management rises to the level of a violation of law or an unsafe or unsound practice. Institutions should assume that their fundamental obligations around prudent model use are unchanged.
Revisit model inventory scoping
The narrowed definition of a “model” and the explicit exclusion of deterministic rule-based systems and simple spreadsheet calculations provide a basis for re-examining scope. Institutions that have historically captured end-user computing tools, rules engines, and simple allocation logic within their model inventories may wish to reconsider whether this remains warranted. Any scope reduction should be supported by documented rationale and be consistent with the institution’s broader risk taxonomy.
Address the generative and agentic AI governance gap
The agencies have expressly removed generative and agentic AI tools from the scope of this guidance. This does not eliminate the need for governance — it reassigns it. Institutions deploying these technologies should stand up a parallel governance construct, typically aligned to the NIST AI Risk Management Framework, with appropriate adaptation to financial services use cases. Relying solely on SR 11-7-style validation for generative or agentic systems was always a poor fit, and is now unsupported by the underlying guidance.
Recommended Near-Term Actions
Institutions should consider the following actions over the next 60 to 90 days:
- Perform a gap analysis comparing the institution’s current MRM policy against the revised bulletin
- Establish or refresh a generative and agentic AI governance framework
- Review the model inventory for items that may no longer meet the definition of a model
- Reassess the validation operating model
Access the Full Memorandum
View the full document for complete analysis and detailed comparison.