OCC Fed FDIC Revise Bank Model Risk Management Guidance, Raise Asset Threshold to $30B

April 27, 2026

Agencies Overhaul Model Risk Management Guidance for Banks: Here’s What Changed

LinkedIn Facebook X ;) Embed

On April 17, 2026, the OCC, Federal Reserve and FDIC jointly issued “ Revised Guidance on Model Risk Management,” replacing the framework that had governed bank model risk practices since 2011.

The revised guidance rescinds:

• The Supervisory Guidance on Model Risk Management (OCC Bulletin 2011-12, Fed SR 11-7, FDIC FIL-22-2017)
• The 2021 Interagency Statement on BSA/AML Model Risk Management (OCC Bulletin 2021-19, Fed SR 21-8, FDIC FIL-27-2021)
• OCC Bulletin 1997-24, “Credit Scoring Models: Examination Guidance”
• The “Model Risk Management” booklet of the Comptroller's Handbook

Why This Matters

Banks and their service providers have relied heavily on the prior guidance, originally a joint OCC-Fed issuance from 2011 that was later adopted by the FDIC in 2017, in developing and deploying models. It drove substantial compliance investment, particularly around periodic validation cycles, documentation standards and organizational structures for model risk management. However, industry feedback and recent OCC commentary indicated that the guidance was being applied more prescriptively than intended, especially at community banks.

The revised guidance represents a meaningful recalibration of the prudential regulators’ expectations for model risk management:

• The new guidance is comparatively concise and more principles-based, with less specificity regarding how banks should carry out their risk management responsibilities. It also explicitly states that non-compliance will not result in supervisory criticism.
• The guidance narrows the definition of what constitutes a “model” and expressly excludes generative and agentic AI from its scope.
• Overall model risk, according to the guidance, should be assessed by considering a model’s inherent risk (i.e., its complexity, assumptions, and data quality and restraints) in the context of its materiality (i.e., the model’s exposure and purpose).
• While the concepts of effective challenge, robust validation and model governance generally carry over from the prior guidance, they have been reformulated to allow greater flexibility in how banks incorporate these principles into their respective model risk management frameworks.

Key Changes

Scope, Applicability and Enforcement

The guidance is now framed as “most relevant to” organizations with over $30 billion in total assets, a significant shift from the prior guidance indicating that it would be most relevant to institutions with $1 billion or more in total assets. However, the new guidance notes that organizations at or below the new $30 billion threshold may nevertheless find it useful if they have significant model risk exposure from the prevalence, complexity or nature of their institution’s model use.

The guidance makes clear that it “does not set forth enforceable standards or prescriptive requirements; accordingly, non-compliance with this guidance will not result in supervisory criticism against a banking organization.” A footnote preserves the agencies’ authority to take action for violations of law or unsafe or unsound practices stemming from insufficient model risk management.

What Counts as a “Model”

The guidance revises the definition of “model” to require complexity. Specifically, a model is defined as “a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates.” The new definition no longer encompasses methods, systems or approaches that apply “mathematical” theories. It also adds explicit carve-outs for simple arithmetic calculations (including spreadsheets), deterministic rule-based processes, and software without underlying statistical, economic or financial theories.

The guidance also includes a footnote that excludes generative and agentic AI models from its scope, based on the agencies’ view that such technologies are “novel and rapidly evolving.” For tools like generative and agentic AI models that are expressly outside the scope of the guidance, banking organizations should continue to rely on their broader risk management and governance practices to determine appropriate controls. In parallel, the agencies have announced plans to issue a request for information on banks’ use of AI, including generative and agentic AI and AI‑based models, which may inform future expectations.

Risk Assessment Framework

The new guidance introduces a framework for measuring the overall magnitude of model risk by considering a model’s inherent risk in the context of its materiality. Materiality, in turn, comprises a model’s exposure (significance to a bank’s business decisions) and purpose (the model’s nature and qualitative importance, including for risk management). Under this framework, a bank could classify a model as immaterial with low inherent risk and apply lighter-touch oversight — such as limited to identification and performance monitoring — while reserving more rigorous practices for higher-materiality models.

The prior guidance’s concept of “effective challenge” remains in the new issuance, though reformulated. Previously, the agencies took the position that effective challenge depended on a combination of “incentives, competence, and influence.” Under the new guidance, effective challenge instead requires appropriate expertise, sufficient independence to permit objectivity, and organizational standing and influence to effect change when appropriate.

Validation and Monitoring

The new guidance retains the three core validation components (conceptual soundness, outcomes analysis and ongoing monitoring) but treats each far more concisely. For example, the guidance no longer contains detailed discussions of VaR backtesting, parallel outcomes analysis, early warning metrics, process verification of computer code, override analysis and specific benchmarking procedures. Rather, the guidance highlights that “validation approaches may differ across models based on their characteristics and use” (while noting that it generally occurs pre-deployment).

Validation independence is also de-emphasized. The new guidance states that the quality of the validation process “depends on the rigor and effectiveness of the review rather than on organizational structure.” This is a notable shift from the prior guidance’s detailed treatment of reporting-line separation, compensation practices and explicit authority to challenge developers.

Governance, Audit and Vendor Management

The new guidance replaces detailed expectations for board and senior management duties, annual policy review and enumerated internal audit tasks with higher-level governance principles, such as clear roles and responsibilities, accountability, and maintaining effective policies, procedures and a risk assessment framework. The contemplated role for internal audit is comparatively limited, with the guidance indicating that this function is generally responsible for evaluating whether model risk management practices are “rigorous and effective.”

The new guidance includes a stand-alone section on vendor/third-party risk management, which recognizes that “the principles of model risk management remain applicable” even where banks are unable to validate third-party models or receive requested information from their developers. The guidance notes that where vendor models are customized for a bank’s particular needs, the institution’s validation process should involve documenting, justifying and evaluating any adjustments.

BSA/AML

The 2021 interagency statement on BSA/AML model risk management has been rescinded without a replacement. BSA/AML models within the revised definition are covered by the general framework. The specific clarifications from 2021 — regarding system categorization, duplicative testing and flexibility for rapid updates — are no longer addressed in stand-alone guidance.

Looking Ahead

The revised guidance is part of a broader interagency effort to reduce prescriptive supervisory expectations and refocus on material financial risk. In alignment with the new guidance, banking organizations should consider:

• Reassessing model inventories: The narrowed definition of “model” may remove tools that previously required full MRM treatment, such as simple rule-based systems, spreadsheet calculations and qualitative-input approaches. Banks should also determine how they will manage risks associated with generative and agentic AI models, which are out-of-scope for the new guidance.
• Applying the materiality framework: Determining a model’s materiality by considering both its exposure and purpose may allow organizations to classify some models as immaterial and right-size oversight (including monitoring frequency) accordingly.
• Updating internal policies: It may be prudent to review and revise model risk management policies built around the prior guidance’s more prescriptive expectations, including fixed validation cycles, structural independence requirements and enumerated internal audit tasks. Banks can use the new guidance as an opportunity to take a more principles-based approach to model governance and risk management activities.
• Monitoring for forthcoming AI guidance: The agencies announced their plan to issue a request for information (RFI) on model risk management and banks’ use of AI — including generative AI, agentic AI and AI-based models. Institutions deploying or evaluating these technologies should consider taking advantage of the opportunity to engage with regulators during the RFI process. [View source.]

;) ;) Report

Related Posts

• OCC submits interim final rule, preemption determination to OMB on Illinois Interchange Fee Prohibition Act’s applicability to national banks
• OCC and FDIC finalize rules eliminating reputation risk from supervision
• OCC releases updated mortgage metrics for Q4 2025

Latest Posts

• CFPB union opposes Bureau’s motion to modify stay, implement reduction-in-force plan
• Mississippi enacts data security and consumer protection requirements for money transmitters See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Orrick, Herrington & Sutcliffe LLP
2026

Written by:

Orrick, Herrington & Sutcliffe LLP Contact + Follow John Coleman + Follow Jeff Naimon + Follow Caroline Stapleton + Follow

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

Banking Sector + Follow Banks + Follow BSA/AML + Follow FDIC + Follow Federal Reserve + Follow New Guidance + Follow OCC + Follow Regulatory Oversight + Follow Regulatory Reform + Follow Regulatory Requirements + Follow Risk Management + Follow Finance & Banking + Follow Science, Computers & Technology + Follow more

Orrick, Herrington & Sutcliffe LLP on:

Solve with 2Captcha

Solve with 2Captcha