Summary

Situation Overview: On April 17, 2026, the Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) jointly issued revised model risk management (MRM) guidance, formally replacing the prior supervisory framework that has governed bank model risk practices for fifteen years.

What: The revised guidance emphasizes risk‑based model risk management. The guidance explicitly does not apply to generative AI and agentic AI models; the guidance does apply to non-generative, non-agentic AI models.

Who: The revised guidance is applicable to banking organizations with over $30 billion in total assets (versus the prior guidance that applied to all banking organizations). Banks with under $30 billion in assets should assess whether the prevalence or complexity of their models, or activities outside the scope of traditional community banking, create significant model risk exposure. If so, the guidance may be relevant.

When: Now.

In Depth

The newly issued guidance supersedes prior guidance[1] issued by the Federal Reserve, OCC and FDIC, and marks the most significant shift in model risk supervision in fifteen years. While the core pillars of model development, validation, monitoring, model inventory, and governance remain intact, the agencies have granted banking organizations meaningful flexibility in how those expectations are addressed. Notably, the guidance states that it “does not set forth enforceable standards or prescriptive requirements; accordingly, non-compliance with this guidance will not result in supervisory criticism against a banking organization …However, supervisory action may result for any violations of law or unsafe or unsound practices stemming from insufficient management of model risk”.

Additional key changes include:

• Revised the definition of a “model”, which is now defined as “a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates”.
  • Missing from the new definition is the “three components” test (i.e., that a model consists of inputs, processing, and reporting output components).
  • The new definition also now explicitly excludes “simple arithmetic calculations …as well as deterministic rule-based processes … where there are no statistical, economic or financial theories…”
  • Non-agentic/non-GenAI is in scope for this definition, while Agentic AI and GenAI are specifically out of scope.
  • The guidance notes that a firm’s governance/risk management practices should address any tools, processes or systems out of scope for the guidance.
• Deleted extensive guidance on model development, model validation, and ongoing monitoring, as well as the term “Model Owner” and the Annual Review expectation.
• Removed explicit expectations regarding Board-level roles and responsibilities.

In the new guidance, banking regulators focus on materiality and safety and soundness as the central supervisory lens. Under this framework, banks are expected to assess model risk based on the significance of a model to the institution’s activities and risk profile, and to scale model risk management practices accordingly. Consistent with this approach, the guidance sets out separate, principles‑based expectations for model development, model use, model validation and monitoring, governance and controls, third‑party model risk, and governance. Model validation guidance focuses on conceptual soundness and outcomes analysis.

As with any principles-based framework, early engagement with the revised guidance will be critical to demonstrating alignment with supervisory expectations.

The revised guidance provides banking organizations with the flexibility to design model risk management frameworks and governance structures appropriate for their size, complexity, and model risks.  For example:

• Firms with more material model risk exposures may continue to involve their boards in model risk management oversight, while other firms with less significant model risk profiles could adjust those practices.
• With the removal of the supervisory Annual Review requirements, firms may choose to maintain these requirements for their most material models, including those with significant reliance on market-based assumptions that can change over time.
• Although there is no longer extensive guidance on model development, model validation, and ongoing monitoring practices, firms should continue to maintain appropriate policies and procedures for these activities; there is opportunity for firms to evaluate their documented requirements and right-size them based on model risk.

Put Patomak’s Expertise to Work

Patomak is uniquely positioned to help banking organizations navigate the transition to the revised model risk management guidance. As institutions recalibrate their MRM programs, Patomak offers expertise in assessing model risk profiles and scaling governance structures to institutional complexity. Patomak also assists with aligning development, validation, monitoring, and third-party model practices to supervisory expectations.

Patomak has extensive expertise in designing and enhancing model risk management programs tailored to an institution’s size, complexity, and risk profile, ranging from establishing governance frameworks and clarifying three-lines-of-defense responsibilities to implementing targeted improvements in validation, outcomes analysis, and vendor model oversight. To learn more about how Patomak can support your compliance and strategic goals, please contact Diane Daley at ddaley@patomak.com and Heather Espinosa at hespinosa@patomak.com

---

[1] The following guidance is superseded:

• Model Risk Management Guidance, specifically SR letter 11-7, “Guidance on Model Risk Management” (April 4, 2011) / OCC Bulletin 2011-12, “Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management” / FDIC’s FIL-22-2017 Adoption of Supervisory Guidance on Model Risk Management
• BSA/AML Model Guidance, specifically SR letter 21-8, “Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering Compliance” (April 9, 2021) / OCC Bulletin 2021-19, “Bank Secrecy Act/Anti-Money Laundering: Interagency Statement on Model Risk Management for Bank Systems Supporting BSA/AML Compliance and Request for Information”
• Credit Scoring Model Guidance, especially OCC Bulletin 1997-24, “Credit Scoring Models: Examination Guidance,” including the Appendix, “Safety and Soundness and Compliance Issues on Credit Scoring Models”
• “Model Risk Management” booklet of the OCC’s Comptroller’s Handbook