Article
Updated Interagency Guidance on Model Risk Management (SR 26-2)
June 4, 2026 · Authored by Sean Statz
On April 17, 2026, the Federal Reserve Board of Governors, the FDIC, and the OCC collectively issued revised interagency guidance, SR 26-2 Supervisory Guidance on Model Risk Management, replacing the longstanding SR 11-7 framework. The new guidance reflects advancements in modeling practices and over a decade of supervisory experience, while reaffirming core principles of sound model risk management.
Importantly, the agencies emphasize that expectations should be scaled to the size, complexity, and risk profile of each institution each institution, a key clarification for smaller and less complex organizations.
Interested in chatting with us to learn more? Schedule a one-on-one meeting.
Five key themes and changes
The revised framework highlights key areas of focus for financial institutions managing model governance, validation, and third-party risk.
The updated guidance places strong emphasis on proportionality. Institutions are expected to tailor model risk management practices based on:
- The number and complexity of models in use
- The materiality and risk profile of individual models
- The extent of reliance on models in decision-making
- The extent of reliance on models in decision-making
For many community institutions, this means focusing on material, high-risk models (e.g., CECL, interest rate risk, stress-testing tools) rather than lower-risk tools (e.g., basic spreadsheets, simple calculations).
The agencies retain the foundational elements of model risk management:
- Model development, implementation, and use
- Independent validation and ongoing monitoring
- Governance, policies, and controls
Community Banks and credit unions frequently rely on vendor-provided models (e.g., CECL, ALM). The guidance reinforces that institutions remain fully responsible for model risk, even when using third-party solutions.
Key expectations include:
- Understand how these models work at a conceptual level
- Perform appropriate validation and performance monitoring based on risk of each model
- Integration into the institution’s broader model risk framework
Reliance on vendors does not transfer responsibility for model risk.
The guidance is most directly relevant for larger and more complex institutions (generally more than $30 billion in assets). However, it applies broadly, with expectations scaled to each institution’s risk profile. Examiners should consider an institution’s risk profile and approach, which should reduce concerns about being held to large-bank standards.
Additionally, the new language revises the definition of a “model” to exclude “simple arithmetic calculations, such as those found within spreadsheets”. While this language covers the majority of simple excel-based tools, this does not mean all excel-based tools are excluded if it contains complex forecasting or similarities within the calculation.
The guidance does not address generative AI or advanced AI tools.
The agencies have indicated that separate guidance or rulemaking will address AI-related risks.
As AI technologies continue to reshape the financial services industry, institutions should consider how governance and risk management frameworks may adapt to evolving regulatory expectations. Baker Tilly continues to monitor the evolving AI landscape and related risk considerations.
