X

Bank Regulators Issue Updated Guidance on Use of Risk Management Models

"This revised guidance reflects supervisory experience and industry feedback accumulated over the past fifteen years, as well as significant advancements in modeling practices."
Federal Reserve Supervision and Regulation Letter
"This revised guidance reflects supervisory experience and industry feedback accumulated over the past fifteen years, as well as significant advancements in modeling practices."
Federal Reserve Supervision and Regulation Letter

The OCC, Federal Reserve Board, and the FDIC issued updated interagency guidance on model risk management. The guidance adopted a risk-based, tailored approach and does not establish enforceable standards or prescriptive requirements.

The revised guidance is primarily directed at banking organizations with more than $30 billion in total assets. The guidance is also applicable to all community banks, subject to certain limitations. Smaller institutions with significant model risk may fall within its scope—due to the complexity of their models or activities outside traditional community banking.

In the guidance, the agencies narrowed the definition of “model” to exclude simple arithmetic calculations, deterministic rule-based processes, and software without statistical or economic underpinnings. Generative AI and agentic AI are outside the scope of the guidance, though the agencies noted that existing governance practices should inform controls for those tools.

The agencies said that validation rigor must be proportionate to model complexity and materiality. Validation must generally occur before first use, though exceptions are permitted for urgent business needs with appropriate compensating controls in place. Regarding vendor and third-party models, the agencies required validation - whether internal or by outside parties - along with ongoing monitoring and documentation of any customizations.

The bulletin builds on OCC Bulletin 2025-26, “Model Risk Management: Clarification for Community Banks,” which previously clarified that OCC guidance does not require community banks to perform annual model validation. The new guidance rescinded the following OCC issuances:

  • OCC Bulletin 2011-12, “Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management;”
  • OCC Bulletin 1997-24, “Credit Scoring Models: Examination Guidance,” including its appendix on safety, soundness, and compliance issues for credit scoring models;
  • OCC Bulletin 2021-19, “Bank Secrecy Act/Anti-Money Laundering: Interagency Statement on Model Risk Management for Bank Systems Supporting BSA/AML Compliance and Request for Information;” and
  • the “Model Risk Management” booklet of the Comptroller’s Handbook.

The agencies stated that they plan to issue a separate request for information on model risk management for AI, including generative AI and agentic AI.

Primary Sources

  1. OCC: Model Risk Management: Revised Guidance
  2. OCC Press Release
  3. Fed Reserve Supervision Letter

Related Articles

Tags

Jurisdiction
US - Federal
Sub-Author
Comptroller