From SR 11-7 to SR 26-2: The Regulatory Evolution
Model risk management in banking was first formally codified in 2011 when the Federal Reserve issued SR 11-7, "Guidance on Model Risk Management." The guidance defined what constituted a "model" (a quantitative method with inputs, processing, and outputs used to inform decisions), identified the risks those models carry (particularly model error, misuse, and over-reliance), and established a framework of governance expectations: independent model validation, ongoing monitoring, and documentation requirements.
For over a decade, SR 11-7 was the primary compliance reference for any financial institution deploying AI or quantitative models in lending, risk management, or compliance. Examiners would pull model inventories, review validation documentation, and assess whether institutions had adequate governance over their model lifecycle.
On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued revised interagency guidance — SR 26-2 (Federal Reserve) and OCC Bulletin 2026-13 — that supersedes SR 11-7. The revised guidance narrows the definition of "model" to reduce regulatory burden on simpler analytical tools, while adding specific provisions for AI and machine learning systems, and calibrates governance expectations proportionally for community banks rather than applying large-bank standards universally.
SR 11-7 is no longer live guidance as of April 17, 2026. Institutions citing SR 11-7 in credit files and examiner presentations should update references to SR 26-2 and OCC Bulletin 2026-13. The underlying disciplines — validation, monitoring, vendor oversight, and source-cited outputs — remain the examiner expectation floor.
Core Principles of Model Risk Management
Whether applied under SR 11-7 or the current SR 26-2 framework, model risk management rests on five operational pillars:
- Model development and documentation: Models must be built with clearly stated purpose, methodology, and limitations. Documentation must allow an independent reviewer to understand how the model works without access to the developer.
- Independent model validation: Before a model is deployed in production, it must be validated by a team independent of the development team. Validation assesses conceptual soundness, data quality, performance testing, and whether the model produces outputs that are fit for their intended use.
- Ongoing monitoring: After deployment, models must be monitored for performance degradation, data drift, and changing conditions that may reduce predictive accuracy. Thresholds for investigation and remediation must be defined in advance.
- Model inventory and governance: Institutions must maintain a complete inventory of all models in use, with ownership, use case, risk tier, validation status, and next review date. Senior management and the board have oversight responsibilities.
- Vendor oversight (third-party model risk): When a financial institution uses a vendor-provided model — including an AI underwriting platform — the institution retains responsibility for that model's performance and risk. Due diligence, contractual access to documentation, and independent validation or reliance assessment are required.
Model Risk Management for AI Underwriting Tools
The adoption of AI-powered underwriting platforms has brought model risk management to the top of the compliance agenda at community banks and credit unions. When an AI agent extracts financial data, calculates DSCR, flags risk, and drafts a credit memo, examiners expect the institution to demonstrate:
- That the tool's outputs are explainable and traceable to source documents
- That the institution has assessed the vendor's model governance and validation practices
- That human underwriters review and take accountability for AI-generated analysis before decisions are made
- That the institution monitors the tool's performance over time and has remediation procedures if accuracy degrades
Uptiq's Qore Platform is designed to satisfy these requirements by default. Every output — financial spread, ratio calculation, risk flag, and credit memo — includes full data lineage back to the source document and page, a timestamp, and a human-review step before any file reaches a credit committee. Uptiq's compliance documentation package supports institutions' vendor due diligence requirements under SR 26-2 and OCC Bulletin 2026-13.
Proportionality for Community Banks
A key change in the 2026 guidance is the explicit calibration of model risk management expectations to institution size and complexity. The SR 26-2 / OCC Bulletin 2026-13 framework recognizes that a community bank with $500 million in assets does not require the same model governance infrastructure as a global systemically important bank. Expectations are proportional — more rigorous documentation and independent validation for high-risk models, lighter governance for lower-complexity tools with limited credit impact.
This proportionality principle has practical implications for community banks evaluating AI underwriting platforms: examiners will assess governance expectations relative to the institution's size and the model's risk tier, not against a single universal standard.
Frequently Asked Questions
What is model risk management in banking?
What replaced SR 11-7 in 2026?
Does model risk management apply to AI underwriting platforms?
What do bank examiners look for in AI model risk management?
What is model validation in the context of AI underwriting?
Source-cited outputs, full audit trails, and vendor documentation packages that satisfy examiner due diligence for AI underwriting tools.
