Definition

Model risk management (MRM) is a governance framework that financial institutions apply to identify, assess, monitor, and control the risks associated with using quantitative models and AI tools in credit decisions, risk assessment, and compliance functions. First formalized under Federal Reserve SR 11-7 in 2011, and updated by SR 26-2 and OCC Bulletin 2026-13 in April 2026, model risk management requires institutions to validate models independently before deployment, monitor performance on an ongoing basis, maintain a complete model inventory, and exercise appropriate oversight of third-party and vendor-provided AI tools — including AI underwriting platforms.

SR 11-7 superseded by SR 26-2 + OCC Bulletin 2026-13 (April 17, 2026) Applies to: AI underwriting, credit scoring, risk models Key requirements: validation, monitoring, vendor oversight

From SR 11-7 to SR 26-2: The Regulatory Evolution

Model risk management in banking was first formally codified in 2011 when the Federal Reserve issued SR 11-7, "Guidance on Model Risk Management." The guidance defined what constituted a "model" (a quantitative method with inputs, processing, and outputs used to inform decisions), identified the risks those models carry (particularly model error, misuse, and over-reliance), and established a framework of governance expectations: independent model validation, ongoing monitoring, and documentation requirements.

For over a decade, SR 11-7 was the primary compliance reference for any financial institution deploying AI or quantitative models in lending, risk management, or compliance. Examiners would pull model inventories, review validation documentation, and assess whether institutions had adequate governance over their model lifecycle.

On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued revised interagency guidance — SR 26-2 (Federal Reserve) and OCC Bulletin 2026-13 — that supersedes SR 11-7. The revised guidance narrows the definition of "model" to reduce regulatory burden on simpler analytical tools, while adding specific provisions for AI and machine learning systems, and calibrates governance expectations proportionally for community banks rather than applying large-bank standards universally.

2026 update

SR 11-7 is no longer live guidance as of April 17, 2026. Institutions citing SR 11-7 in credit files and examiner presentations should update references to SR 26-2 and OCC Bulletin 2026-13. The underlying disciplines — validation, monitoring, vendor oversight, and source-cited outputs — remain the examiner expectation floor.

Core Principles of Model Risk Management

Whether applied under SR 11-7 or the current SR 26-2 framework, model risk management rests on five operational pillars:

  • Model development and documentation: Models must be built with clearly stated purpose, methodology, and limitations. Documentation must allow an independent reviewer to understand how the model works without access to the developer.
  • Independent model validation: Before a model is deployed in production, it must be validated by a team independent of the development team. Validation assesses conceptual soundness, data quality, performance testing, and whether the model produces outputs that are fit for their intended use.
  • Ongoing monitoring: After deployment, models must be monitored for performance degradation, data drift, and changing conditions that may reduce predictive accuracy. Thresholds for investigation and remediation must be defined in advance.
  • Model inventory and governance: Institutions must maintain a complete inventory of all models in use, with ownership, use case, risk tier, validation status, and next review date. Senior management and the board have oversight responsibilities.
  • Vendor oversight (third-party model risk): When a financial institution uses a vendor-provided model — including an AI underwriting platform — the institution retains responsibility for that model's performance and risk. Due diligence, contractual access to documentation, and independent validation or reliance assessment are required.

Model Risk Management for AI Underwriting Tools

The adoption of AI-powered underwriting platforms has brought model risk management to the top of the compliance agenda at community banks and credit unions. When an AI agent extracts financial data, calculates DSCR, flags risk, and drafts a credit memo, examiners expect the institution to demonstrate:

  • That the tool's outputs are explainable and traceable to source documents
  • That the institution has assessed the vendor's model governance and validation practices
  • That human underwriters review and take accountability for AI-generated analysis before decisions are made
  • That the institution monitors the tool's performance over time and has remediation procedures if accuracy degrades

Uptiq's Qore Platform is designed to satisfy these requirements by default. Every output — financial spread, ratio calculation, risk flag, and credit memo — includes full data lineage back to the source document and page, a timestamp, and a human-review step before any file reaches a credit committee. Uptiq's compliance documentation package supports institutions' vendor due diligence requirements under SR 26-2 and OCC Bulletin 2026-13.

Proportionality for Community Banks

A key change in the 2026 guidance is the explicit calibration of model risk management expectations to institution size and complexity. The SR 26-2 / OCC Bulletin 2026-13 framework recognizes that a community bank with $500 million in assets does not require the same model governance infrastructure as a global systemically important bank. Expectations are proportional — more rigorous documentation and independent validation for high-risk models, lighter governance for lower-complexity tools with limited credit impact.

This proportionality principle has practical implications for community banks evaluating AI underwriting platforms: examiners will assess governance expectations relative to the institution's size and the model's risk tier, not against a single universal standard.


Frequently Asked Questions

What is model risk management in banking?
Model risk management (MRM) is a governance framework that financial institutions use to identify, measure, monitor, and control the risks associated with using quantitative models and AI tools in decision-making. Key components include model development standards, independent validation before deployment, ongoing performance monitoring, model inventory management, and vendor oversight for third-party models.
What replaced SR 11-7 in 2026?
On April 17, 2026, the Federal Reserve issued SR 26-2 and the OCC issued OCC Bulletin 2026-13, jointly superseding SR 11-7 as the primary interagency model risk management guidance. The revised framework narrows the model definition, adds specific provisions for AI and machine learning, and calibrates governance expectations proportionally for community banks. The core disciplines of validation, monitoring, and documentation remain unchanged.
Does model risk management apply to AI underwriting platforms?
Yes. When a financial institution uses a vendor-provided AI underwriting tool, the institution retains model risk management responsibility for that tool's outputs. Institutions should conduct vendor due diligence, obtain documentation of the vendor's model development and validation practices, assess the tool's performance on their specific use case, ensure human review before credit decisions, and monitor ongoing performance.
What do bank examiners look for in AI model risk management?
Under SR 26-2 and OCC Bulletin 2026-13, examiners reviewing AI underwriting tools look for: clear documentation of the tool's purpose and methodology; evidence of due diligence on the vendor's validation practices; human-in-the-loop review processes before credit decisions; source-cited, traceable outputs rather than black-box results; and an ongoing monitoring plan with defined thresholds for remediation.
What is model validation in the context of AI underwriting?
Model validation is an independent assessment of whether an AI model is conceptually sound, performs as intended, and is appropriate for its stated use. For AI underwriting tools, validation typically includes reviewing the model's development documentation, testing extraction accuracy on a sample of financial documents, assessing whether outputs are explainable and auditable, and confirming that the model's performance on the institution's specific borrower population is adequate.
Uptiq Qore Platform
See how Uptiq supports SR 26-2 compliance

Source-cited outputs, full audit trails, and vendor documentation packages that satisfy examiner due diligence for AI underwriting tools.