Agencies Overhaul Model Risk Management Guidance for Banks: Here’s What Changed

6 minute read | April.24.2026

On April 17, 2026, the OCC, Federal Reserve and FDIC jointly issued “Revised Guidance on Model Risk Management,” replacing the framework that had governed bank model risk practices since 2011.

The revised guidance rescinds:

The Supervisory Guidance on Model Risk Management (OCC Bulletin 2011-12, Fed SR 11-7, FDIC FIL-22-2017)
The 2021 Interagency Statement on BSA/AML Model Risk Management (OCC Bulletin 2021-19, Fed SR 21-8, FDIC FIL-27-2021)
OCC Bulletin 1997-24, “Credit Scoring Models: Examination Guidance”
The “Model Risk Management” booklet of the Comptroller's Handbook

Why This Matters

Banks and their service providers have relied heavily on the prior guidance, originally a joint OCC-Fed issuance from 2011 that was later adopted by the FDIC in 2017, in developing and deploying models. It drove substantial compliance investment, particularly around periodic validation cycles, documentation standards and organizational structures for model risk management. However, industry feedback and recent OCC commentary indicated that the guidance was being applied more prescriptively than intended, especially at community banks.

The revised guidance represents a meaningful recalibration of the prudential regulators’ expectations for model risk management:

The new guidance is comparatively concise and more principles-based, with less specificity regarding how banks should carry out their risk management responsibilities. It also explicitly states that non-compliance will not result in supervisory criticism.
The guidance narrows the definition of what constitutes a “model” and expressly excludes generative and agentic AI from its scope.
Overall model risk, according to the guidance, should be assessed by considering a model’s inherent risk (i.e., its complexity, assumptions, and data quality and restraints) in the context of its materiality (i.e., the model’s exposure and purpose).
While the concepts of effective challenge, robust validation and model governance generally carry over from the prior guidance, they have been reformulated to allow greater flexibility in how banks incorporate these principles into their respective model risk management frameworks.

Key Changes

Scope, Applicability and Enforcement

The guidance is now framed as “most relevant to” organizations with over $30 billion in total assets, a significant shift from the prior guidance indicating that it would be most relevant to institutions with $1 billion or more in total assets. However, the new guidance notes that organizations at or below the new $30 billion threshold may nevertheless find it useful if they have significant model risk exposure from the prevalence, complexity or nature of their institution’s model use.

The guidance makes clear that it “does not set forth enforceable standards or prescriptive requirements; accordingly, non-compliance with this guidance will not result in supervisory criticism against a banking organization.” A footnote preserves the agencies’ authority to take action for violations of law or unsafe or unsound practices stemming from insufficient model risk management.

What Counts as a “Model”

The guidance revises the definition of “model” to require complexity. Specifically, a model is defined as “a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates.” The new definition no longer encompasses methods, systems or approaches that apply “mathematical” theories. It also adds explicit carve-outs for simple arithmetic calculations (including spreadsheets), deterministic rule-based processes, and software without underlying statistical, economic or financial theories.

The guidance also includes a footnote that excludes generative and agentic AI models from its scope, based on the agencies’ view that such technologies are “novel and rapidly evolving.” For tools like generative and agentic AI models that are expressly outside the scope of the guidance, banking organizations should continue to rely on their broader risk management and governance practices to determine appropriate controls. In parallel, the agencies have announced plans to issue a request for information on banks’ use of AI, including generative and agentic AI and AI‑based models, which may inform future expectations.

Risk Assessment Framework

The new guidance introduces a framework for measuring the overall magnitude of model risk by considering a model’s inherent risk in the context of its materiality. Materiality, in turn, comprises a model’s exposure (significance to a bank’s business decisions) and purpose (the model’s nature and qualitative importance, including for risk management). Under this framework, a bank could classify a model as immaterial with low inherent risk and apply lighter-touch oversight — such as limited to identification and performance monitoring — while reserving more rigorous practices for higher-materiality models.

The prior guidance’s concept of “effective challenge” remains in the new issuance, though reformulated. Previously, the agencies took the position that effective challenge depended on a combination of “incentives, competence, and influence.” Under the new guidance, effective challenge instead requires appropriate expertise, sufficient independence to permit objectivity, and organizational standing and influence to effect change when appropriate.

Validation and Monitoring

The new guidance retains the three core validation components (conceptual soundness, outcomes analysis and ongoing monitoring) but treats each far more concisely. For example, the guidance no longer contains detailed discussions of VaR backtesting, parallel outcomes analysis, early warning metrics, process verification of computer code, override analysis and specific benchmarking procedures. Rather, the guidance highlights that “validation approaches may differ across models based on their characteristics and use” (while noting that it generally occurs pre-deployment).

Validation independence is also de-emphasized. The new guidance states that the quality of the validation process “depends on the rigor and effectiveness of the review rather than on organizational structure.” This is a notable shift from the prior guidance’s detailed treatment of reporting-line separation, compensation practices and explicit authority to challenge developers.

Governance, Audit and Vendor Management

The new guidance replaces detailed expectations for board and senior management duties, annual policy review and enumerated internal audit tasks with higher-level governance principles, such as clear roles and responsibilities, accountability, and maintaining effective policies, procedures and a risk assessment framework. The contemplated role for internal audit is comparatively limited, with the guidance indicating that this function is generally responsible for evaluating whether model risk management practices are “rigorous and effective.”

The new guidance includes a stand-alone section on vendor/third-party risk management, which recognizes that “the principles of model risk management remain applicable” even where banks are unable to validate third-party models or receive requested information from their developers. The guidance notes that where vendor models are customized for a bank’s particular needs, the institution’s validation process should involve documenting, justifying and evaluating any adjustments.

BSA/AML

The 2021 interagency statement on BSA/AML model risk management has been rescinded without a replacement. BSA/AML models within the revised definition are covered by the general framework. The specific clarifications from 2021 — regarding system categorization, duplicative testing and flexibility for rapid updates — are no longer addressed in stand-alone guidance.

Looking Ahead

The revised guidance is part of a broader interagency effort to reduce prescriptive supervisory expectations and refocus on material financial risk. In alignment with the new guidance, banking organizations should consider:

Reassessing model inventories: The narrowed definition of “model” may remove tools that previously required full MRM treatment, such as simple rule-based systems, spreadsheet calculations and qualitative-input approaches. Banks should also determine how they will manage risks associated with generative and agentic AI models, which are out-of-scope for the new guidance.
Applying the materiality framework: Determining a model’s materiality by considering both its exposure and purpose may allow organizations to classify some models as immaterial and right-size oversight (including monitoring frequency) accordingly.
Updating internal policies: It may be prudent to review and revise model risk management policies built around the prior guidance’s more prescriptive expectations, including fixed validation cycles, structural independence requirements and enumerated internal audit tasks. Banks can use the new guidance as an opportunity to take a more principles-based approach to model governance and risk management activities.
Monitoring for forthcoming AI guidance: The agencies announced their plan to issue a request for information (RFI) on model risk management and banks’ use of AI — including generative AI, agentic AI and AI-based models. Institutions deploying or evaluating these technologies should consider taking advantage of the opportunity to engage with regulators during the RFI process.

For questions about how the revised guidance affects your institution's model risk management program, or to discuss strategies for reassessing your model inventory and preparing for forthcoming AI-related rulemaking, please contact one of the authors or another member of Orrick’s Financial & Fintech Advisory team.

Authors

John Coleman Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8006
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

John Coleman Partner

Washington, D.C.

Prior to joining Orrick, John was a partner at Buckley LLP, which he joined after 15 years in federal government service as a litigator and advisor to senior policymakers, most recently as Deputy General Counsel for Litigation and Oversight at the Consumer Financial Protection Bureau. He joined the CFPB soon after its creation in 2010 and was one of a core group of attorneys tasked with interpreting the authorities granted to the agency by the Consumer Financial Protection Act of 2010 and establishing the procedures by which the agency exercises those authorities. He was the first person to appear in court on behalf of the CFPB and was involved in every significant litigation matter in the agency’s history prior to his departure. As Deputy General Counsel, he managed the team of attorneys responsible for representing the Bureau in litigation, including appellate matters, and before congressional oversight bodies.

John served every director or acting director in the CFPB's history during his tenure at the CFPB, advising them and senior officials in the Division of Supervision, Enforcement, and Fair Lending on a range of complex legal and policy matters, including those arising in the course of examinations, investigations and enforcement actions. He also advised the Director and senior officials in the Division of Research, Markets, and Regulations with respect to rulemakings, and represented the agency in all rulemaking challenges.

Prior to joining the CFPB, John was a trial attorney in the Federal Programs Branch of the Department of Justice’s Civil Division, representing federal agencies and officials in high-profile civil litigation, including cases brought under the U.S. Constitution, the Administrative Procedure Act and federal antidiscrimination laws.

Following law school, he served as a law clerk for the Honorable T.S. Ellis III, of the United States District Court for the Eastern District of Virginia.

Caroline Stapleton Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 461 2904
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Caroline Stapleton Partner

Washington, D.C.

Client-centered experiences are at the heart of Caroline’s practice. She has provided a wide variety of institutions, from fintech startups to multinational banks, with tailored, practical guidance that considers each company’s unique characteristics and strategic goals. Caroline draws on her prior experiences as an attorney at a federal prudential regulator and as the head of compliance at a consumer finance company to give clients a comprehensive picture of the legal risks and opportunities each new matter presents.

Her work on behalf of financial services providers has included:

Providing guidance regarding novel or complex regulatory questions, often in the context of developing new financial products and services
Performing compliance risk assessments of marketing, underwriting, pricing, origination, servicing and loss mitigation activities
Advising banks and supervised lenders with examinations by federal and state regulators, including responding to exam findings, CAMELS ratings, Matters Requiring Attention (MRA/MRIA) and enforcement referrals
Strategically responding to and defending enforcement actions by state and federal regulators, including the Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Federal Reserve Board and Department of Justice (DOJ), and, if necessary, negotiating favorable settlements
Developing strategies for bank partnership, state licensing and bank charter opportunities for consumer financial services providers
Conducting internal investigations of suspected misconduct or violations of an institution’s policies and/or regulatory requirements

In these and other representations, Caroline brings strong substantive knowledge of the key federal and state statutes and regulations governing the financial services industry. Her specific areas of focus include:

Fair lending and anti-discrimination laws, including the Fair Housing Act (FHA) and the Equal Credit Opportunity Act (ECOA)
Prohibitions on unfair, deceptive or abusive acts or practices (UDAP and UDAAP)
Technical regulatory compliance under federal and state laws governing loan marketing, disclosures, settlement practices, servicing and collection practices, consumer reporting and electronic payments
Federal preemption, including under the National Bank Act
Compliance management best practices and regulatory expectations, including third-party vendor and merchant oversight
Treatment and disclosure of confidential supervisory information (CSI)
State lease-to-own laws and regulations

Prior to joining Orrick, Caroline was senior counsel at Buckley LLP. She also has served as an attorney-advisor in the litigation division of the OCC, where she represented the agency in civil litigation, bank receivership preparation, employment disputes and other administrative contexts. Caroline also gained valuable in-house experience as the head of compliance and assistant general counsel of a Richmond-based consumer finance company.

Jeffrey Naimon Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 8030
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Jeffrey Naimon Partner

Washington, D.C.

He defends financial services companies facing complex examination or enforcement matters before the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), and federal and state banking regulators, with a focus on fair lending, unfair, deceptive or abusive acts and practices (UDAAP), loan servicing, privacy and credit reporting, debt collection, servicemember protections and other consumer protection issues.

He assists banks and nonbanks (including fintech entities) structure, negotiate and operate a variety of partnerships, outsourcing programs and other third-party arrangements, including performing due diligence, negotiating transactions and advising on ongoing oversight protocols to meet regulatory expectations for third-party arrangements.

Jeff also assists in negotiating acquisition, capital markets and servicing transactions, advising on how best to structure the transaction to reduce risk and expedite deal closure, performing due diligence and assisting in obtaining the necessary change of control and other regulatory approvals.

Jeff is consistently recognized as a leading lawyer in Financial Services Regulation: Consumer Finance (Compliance) in Chambers USA, which praised him for his "extremely high intellect regarding compliance matters and negotiation skills. There's none better at arguing a disputed point." He is also a Fellow of the American College of Consumer Financial Services Lawyers.

He currently serves as the Co-chair of the Professional Development Task Force and previously served as Co-chair (2011-2013) and Co-vice Chair (2008-2010) of the Truth in Lending Subcommittee of the American Bar Association’s Consumer Financial Services Committee and has authored numerous articles on consumer financial services.

Prior to joining Orrick, Jeff was a partner at Buckley LLP.