Model Governance & Regulation

SR 11-7

Federal Reserve / OCC supervisory guidance issued jointly in 2011 establishing model risk management as a named risk category. Required institutions to build formal model governance infrastructure (inventory, validation, documentation) analogous to how credit or market risk is governed. Superseded by SR 26-2 in April 2026.

SR 26-2

April 2026 interagency guidance (Fed + OCC + FDIC) that superseded SR 11-7. Key updates: uniform $30B asset threshold for applicability; explicit proportionality principle (governance intensity scales with model materiality); generative/agentic AI excluded from scope; rescinded older OCC credit scoring guidance to consolidate into one framework.

SR letter format

"Supervision and Regulation" letters — the Federal Reserve's format for communicating supervisory expectations to regulated institutions. Not law; principles-based guidance. But treated as baseline expectation during examinations and can inform safety-and-soundness findings.

Why SR 11-7 was created

Response to the 2008 financial crisis, which revealed that banks had placed enormous weight on credit risk, mortgage valuation, and capital adequacy models without adequately testing assumptions or governing model use. Model failures amplified systemic damage.

Definition of a "model" under SR 26-2

A complex quantitative method, system, or approach applying statistical, economic, or financial theories to process input data into quantitative estimates. Has three components: information input, processing (mathematical/statistical transformation), and reporting (output). Excludes simple arithmetic and deterministic rule-based processes with no statistical theory underpinning.

Three components of a model

(1) Information input component — data and assumptions fed into the model. (2) Processing component — the mathematical or statistical transformation. (3) Reporting component — the output or estimate produced.

Model risk definition

The potential for adverse consequences from decisions based on incorrect or misused model outputs. Arises from errors in model design, flawed assumptions, inappropriate use, or poor data quality. Even a technically sound model can pose high model risk if misapplied.

Model materiality

Determined by two factors: model purpose (nature and importance of use, especially regulatory uses) and model exposure (significance of the model output to business decisions). Higher materiality drives more intensive governance requirements.

Three pillars of MRM under SR 26-2

(1) Model development and implementation — sound design, methodology, data quality, documentation. (2) Model validation — independent assessment of model performance. (3) Governance, policies, and controls — board oversight, policies, model inventory, audit.

Conceptual soundness

First validation component. Assessment of the theoretical basis and design choices underlying the model — are the methods appropriate, assumptions reasonable, data selection justified? A model can be well-implemented but conceptually unsound.

Outcomes analysis

Second validation component. Compares model outputs to real-world outcomes to assess performance. Takes forms such as back-testing or outlier analysis. Catches implementation errors and domain drift that conceptual review alone would miss.

Ongoing monitoring

Third validation component. Evaluates whether a model continues to perform as expected as products, exposures, data, or market conditions change. Triggers re-validation or overlays when performance degrades.

Effective challenge

Core concept of SR 26-2. Critical analysis by objective experts who evaluate model risk throughout the model lifecycle. Requires three elements: (1) expertise — technical knowledge to conduct meaningful critique; (2) independence — organizational separation from model developers; (3) organizational standing — authority to effect change, not just identify issues.

Model inventory

Operational mechanism by which governance is applied. Must capture all active, in-development, and recently retired models including third-party/vendor models. A bank cannot govern what it has not catalogued.

Third-party model accountability

Institutions remain fully responsible for vendor-supplied models. Cannot outsource the accountability. Independent validation and performance monitoring still apply to outsourced models as though they were developed internally.

Model tiering

Most MRM programs assign models a tier (e.g., Tier 1 / Tier 2 / Tier 3) based on materiality. Tier determines validation frequency, documentation depth, and governance intensity. Tier 1 (highest materiality) typically requires annual validation; lower tiers may have longer cycles with continuous monitoring.

EUC (End User Computing)

Spreadsheets, Access databases, Python/R scripts built and maintained by business users rather than through formal IT development. In scope for MRM governance if they meet the definition of a model. Classic governance gap — widespread, mission-critical, often invisible to formal risk management.

Three lines of defense

Governance framework from operational risk management broadly applied to MRM. (1) First line: model owners/business users — own risk day-to-day. (2) Second line: MRM/validation function — independent oversight of first line. (3) Third line: internal audit — assures that first and second lines are functioning properly.

First line (MRM)

Model owners and business units who build and use models. Responsible for sound development, current documentation, flagging model changes, and ensuring models are used within intended scope. Accountable for model performance.

Second line (MRM)

The MRM / independent validation function. Does not build or use models. Writes validation reports, maintains model inventory, tracks findings to remediation. Must have organizational independence from first line, report through a separate chain, and have authority to challenge first-line work.

Third line (MRM)

Internal audit. Audits the MRM framework itself — not individual models. Assesses whether inventory is complete, validations are on schedule, findings are being remediated, governance structure is functioning. Reports to the board's audit committee, not to management.

Board audit committee

Subcommittee of the board of directors composed of independent directors (no material relationship with the company beyond board role). Oversees financial reporting, internal controls, and internal audit function. Internal audit reports functionally to audit committee, not to the CEO, to preserve independence.

Board risk committee

Separate board subcommittee that oversees the institution's risk appetite and risk management framework. CRO and MRM function report here. Receives regular reporting on aggregate model risk, validation status, and significant findings. SR 26-2 requires board-level oversight of model risk.

External auditors vs. external validators

External auditors (e.g., Big 4 firms): legally required, audit financial statements, report through audit committee, public accountability function, regulated by PCAOB. External validators: specialized consultants hired by MRM function to conduct validation work the internal team lacks capacity or expertise for — client-vendor relationship, not formal reporting line.

OCC (Office of the Comptroller of the Currency)

Bureau of the Treasury Department. Charters and primarily regulates national banks (those with "N.A." or "National Bank" in their name). Enforcement powers include revoking charters. Issued model risk guidance jointly with the Fed in SR 11-7 / OCC 2011-12.

Federal Reserve (regulatory role)

Primary regulator for (1) state-chartered banks that joined the Federal Reserve System, and (2) bank holding companies — the parent structures owning banks. Nearly every large financial institution has a holding company regulated by the Fed. Also the lender of last resort via the discount window.

FDIC (Federal Deposit Insurance Corporation)

Created 1933. Provides deposit insurance (up to $250K) funded by assessments on insured institutions. Primary supervisor for state-chartered non-member banks. Has authority to revoke deposit insurance — commercially necessary for any deposit-taking institution. Also acts as receiver when banks fail. Adopted SR 11-7 guidance in 2017.

Dual banking system

U.S. banks can be chartered at state or federal level. Charter choice determines primary regulator. National charter → OCC primary regulator. State charter → state banking department + either Fed (if Federal Reserve member) or FDIC (if non-member). Regulatory jurisdiction is based on charter type, not function.

Bank holding company

Parent corporate structure that owns a bank. Regulated by the Federal Reserve under the Bank Holding Company Act of 1956. Nearly all large financial institutions use this structure. Explains why SR 11-7/CCAR are Fed instruments that reach virtually all large institutions regardless of the bank's own charter type.

CCAR (Comprehensive Capital Analysis and Review)

Federal Reserve framework introduced 2009. Assesses whether large BHCs have adequate capital to survive stress and whether capital distributions (dividends, buybacks) are sustainable. Originally had both qualitative objection (governance) and quantitative pass/fail. Qualitative objection eliminated 2019; quantitative pass/fail replaced by Stress Capital Buffer mechanism in 2020.

DFAST (Dodd-Frank Act Stress Test) — two types

(1) Supervisory DFAST: Fed runs this itself using its own models against bank-submitted data. Produces public results annually. Banks don't build this test — they feed it data. (2) Company-run DFAST: banks run this themselves using their own internal models under Fed-provided scenarios. These models must meet SR 26-2 governance standards because they underpin public regulatory disclosures.

DFAST asset thresholds

Full annual supervisory DFAST: $100B+ in assets. Biennial (every other year) for Category IV ($100–$250B). Full annual for Category I/II/III ($250B+). Company-run DFAST threshold raised to $250B by EGRRCPA in 2019, reducing requirements for mid-size banks. Banks below $100B: no formal DFAST, but internal stress testing is a safety-and-soundness expectation.

DFAST supervisory results timeline

~February: Fed releases stress scenarios. April 5: FR Y-14A submission due (bank data). June: Fed publishes supervisory stress test results (firm-level, public). June 15–July 15: Banks publish their own company-run results. August: SCB calculations finalized. October 1: New SCB takes effect.

FR Y-14A

Primary CCAR/DFAST data submission. Filed by large bank holding companies. Contains two sub-schedules: DFAST version (excludes material business plan changes) and CCAR version (incorporates business plan changes and planned capital actions). Multiple schedules covering credit, market, operational risk, PPNR, capital instruments, etc.

CET1 (Common Equity Tier 1)

Highest-quality, most loss-absorbing form of bank capital. Core equity: retained earnings + common stock minus deductions (e.g., goodwill). Expressed as a ratio: CET1 capital ÷ risk-weighted assets (RWA). Regulatory minimum is 4.5%. The primary capital metric tracked through stress testing.

Risk-weighted assets (RWA)

Total assets adjusted for riskiness. Each asset class is weighted by credit risk — e.g., Treasury bills near zero, leveraged corporate loans high. A bank with $100B in assets might have $70B in RWA if its portfolio is relatively safe. Denominates the CET1 ratio.

Stress Capital Buffer (SCB)

Replaced CCAR's binary pass/fail in 2020. Calculated as: peak-to-trough CET1 decline in the severely adverse scenario + four quarters of planned common stock dividends, floored at 2.5%. Sets each institution's ongoing CET1 requirement above the 4.5% minimum. Risk-sensitive — riskier portfolios produce higher SCBs.

SCB formula

SCB = (Starting CET1% − Trough CET1% under severely adverse scenario) + (4 quarters of planned dividends as % of RWA). Floor: 2.5%. Total CET1 requirement = 4.5% minimum + SCB + G-SIB surcharge (if applicable).

SCB practical effect

Becomes binding capital requirement effective October 1 each year. Banks that breach the SCB face automatic restrictions on dividends, buybacks, and discretionary bonus payments through the Maximum Distributable Amount (MDA) framework. Stress test results directly constrain capital return to shareholders.

G-SIB surcharge

Additional capital requirement for Global Systemically Important Banks. Measures systemic footprint — not stress test performance — using five dimensions: size, interconnectedness, complexity, cross-jurisdictional activity, and short-term wholesale funding (Method 2, the more conservative U.S. approach). Score maps to a "bucket" with surcharges ranging from 1.0% to 4.5%.

G-SIB Method 1 vs Method 2

Method 1: Basel international framework using substitutability as the fifth indicator. Method 2: Fed's more stringent version replacing substitutability with short-term wholesale funding reliance. The higher of the two applies. Method 2 generally produces higher surcharges for U.S. G-SIBs, creating competitive tension with non-U.S. banks subject only to Method 1.

Total CET1 requirement (large banks)

4.5% (regulatory minimum) + SCB (stress test performance) + G-SIB surcharge (systemic importance). Example: JPMorgan Chase = 4.5% + 2.5% SCB + 4.5% G-SIB = 11.5%. The combination means riskier and more systemically important banks must hold significantly more capital than the floor.

CECL (Current Expected Credit Losses)

Accounting standard ASC 326, issued by FASB (not a banking regulator). Replaced the incurred loss model with a lifetime expected loss model. From loan origination, institutions must estimate and book all credit losses expected over the life of the asset using forward-looking economic forecasts. Adopted by large banks January 1, 2020.

CECL vs. DFAST

Both project future credit losses but serve different purposes. CECL: accounting exercise producing a balance sheet reserve based on best-estimate economic forecast. DFAST: regulatory capital exercise projecting losses under a prescribed severely adverse scenario. Often use the same underlying models with different scenario inputs. CECL is governed by FASB/external auditors; DFAST by Fed/OCC/banking regulators. SR 26-2 applies to CECL models.

CECL governance

CECL models are models under SR 26-2 and require full MRM governance. External auditors review CECL model methodology during financial statement audits (affects reported earnings and capital). Banking regulators confirmed SR 11-7 validation requirements apply to CECL models in 2019 joint guidance. Weak CECL model governance can produce a material weakness finding from external audit.

PPNR (Pre-Provision Net Revenue)

Revenue less expenses before accounting for loan loss provisions. A key component of stress test projections — banks must model how revenue would behave under the severely adverse scenario. Stress scenarios typically project significant PPNR compression. Separate modeling workstream from loss models in DFAST/CCAR submissions.

MRA (Matter Requiring Attention)

Primary formal finding mechanism from banking regulators after examination. Requires a written remediation plan with specific actions, owners, and timelines. Not public, but tracked by regulator across examination cycles. Open or slow-to-remediate MRAs attract increased supervisory scrutiny. Common MRM triggers: models in use without validation, stale validations, inventory gaps, lack of board-level oversight.

MRIA (Matter Requiring Immediate Attention)

More urgent variant of MRA. Typically requires remediation within 30–90 days. Issued when deficiency poses more immediate risk. Escalates to formal enforcement action (consent orders, formal agreements) if unaddressed — which are public and restrict business activities.

Model lifecycle stages

Development → Initial validation → Approval → Production/Active use → Re-validation (periodic) → Ongoing monitoring → Retirement. MRM platforms enforce documented evidence and approvals at each stage transition. A model's position in this lifecycle determines what governance actions are currently required.

Model findings

Output of validation — specific identified deficiencies in model design, documentation, data, or performance. Assigned severity (high/medium/low). Tracked in the MRM platform to remediation with owner and deadline. Open high findings on material models are significant examination concerns.

Model change management

Material changes to a model (methodology, data inputs, infrastructure migration) require documentation, testing, and validation sign-off demonstrating outputs remain appropriate. A SAS-to-cloud migration of a model is a material change under SR 26-2 — same governance applies as a model rebuild.

Tailoring rules (2019 EGRRCPA)

Economic Growth, Regulatory Relief, and Consumer Protection Act raised stress testing and enhanced prudential standard thresholds. Key change: company-run stress test threshold raised from $10B to $250B, reducing requirements for mid-size banks. Created four regulatory categories (I–IV) calibrating requirement intensity to size and complexity. Category IV ($100–$250B): biennial supervisory stress testing.

Category IV banks

Bank holding companies with $100–$250B in total assets. Subject to biennial (every other year) supervisory DFAST. Not subject to annual stress testing or the most intensive capital planning requirements. Still subject to SR 26-2 model risk governance and broader prudential standards. May elect to participate in stress tests in off years.

FFIEC (Federal Financial Institutions Examination Council)

Coordinating body — not itself a regulator — composed of Fed, OCC, FDIC, CFPB, NCUA, and state liaisons. Exists to harmonize examination standards across agencies so that guidance like SR 26-2 doesn't produce inconsistent interpretations across institution types.

CFPB (Consumer Financial Protection Bureau)

Created by Dodd-Frank 2010. Authority over consumer-facing financial products regardless of charter type — mortgages, credit cards, student loans. Writes consumer protection rules for banks and non-banks alike. Does not replace prudential regulators but adds a consumer-focused oversight layer.

History of model risk guidance

OCC 1997: credit scoring guidance (narrow). OCC Circular 2000-16: introduced model validation as a formal practice. SR 11-7 / OCC 2011-12 (2011): jointly issued; elevated model risk to a named risk category with required governance infrastructure. FDIC adopted in 2017 (FIL-22-2017). SR 26-2 (April 2026): updated interagency guidance superseding all prior issuances.

MRM platform core modules

(1) Model inventory — the registry of all models with metadata. (2) Validation workflow management — lifecycle stage tracking, validation assignments, evidence upload. (3) Findings tracking — severity, owner, deadline, remediation status. (4) Ongoing monitoring — performance metrics, trigger alerts. (5) Documentation management — methodology docs, validation reports. (6) Reporting — governance dashboards for management and board.

MRM platform backlog prioritization dimensions

(1) Regulatory exposure — does the gap produce an MRA if unaddressed? (2) Model materiality affected — which tier of models does this gap affect? (3) Detectability — is this gap immediately visible to examiners? (4) Remediation complexity — quick config fix vs. long technology build. (5) Dependency structure — foundational gaps (inventory completeness) must precede downstream capabilities (reporting dashboards).

Proportionality in SR 26-2

Governance intensity should be calibrated to model materiality, not applied uniformly across all models. Tier 1 / high materiality models receive more frequent validation, more intensive documentation, more rigorous challenge. Tier 3 / low materiality models receive lighter-touch oversight. Explicitly strengthened as a principle in SR 26-2 vs. SR 11-7.

Generative/agentic AI under SR 26-2

Explicitly excluded from scope. The guidance applies to traditional statistical/quantitative models and non-generative, non-agentic AI models. Generative and agentic AI are described as novel and rapidly evolving. A separate regulatory response (RFI process) is anticipated. Institutions are expected to apply risk management principles to these tools even outside the formal MRM framework.

Stress Capital Buffer vs. old CCAR pass/fail

Old CCAR (pre-2020): binary annual verdict — capital plan approved or rejected publicly. Qualitative objection could reject a plan even if numbers passed. New SCB mechanism: stress test results automatically flow into each institution's ongoing capital requirement, effective October 1. No binary pass/fail. Capital return constraints are continuous rather than event-driven. More elegant but higher ongoing stakes since a bad result raises capital requirements for a full year.

GSIB surcharge vs. SCB — what each measures

SCB measures how badly your specific portfolio performs under a stress scenario — your losses. G-SIB surcharge measures how dangerous your failure would be to the rest of the financial system — your systemic footprint. Two separate capital add-ons measuring fundamentally different things, both adding to the 4.5% minimum.

SR 12-7 (interagency stress testing guidance)

2012 guidance encouraging stress testing as a risk management practice for institutions above $10B even where not formally required by DFAST. Relevant for mid-size banks that were relieved of formal company-run DFAST requirements by the 2019 tailoring rules. Examiners still ask about stress testing practices at banks in this range.

CECL and DFAST interaction

CECL adoption in 2020 coincided with COVID — institutions had just adopted a forward-looking loss model and immediately had to make extreme forecast judgments under unprecedented uncertainty. Fed chose not to incorporate CECL into supervisory DFAST models at adoption and is still evaluating this. Explaining the difference between CECL allowance (baseline forecast) and DFAST projected losses (severely adverse scenario) to boards and management became a significant communication challenge in 2020–2023.

Global equivalents of SR 11-7

UK PRA: SS 3/18. ECB: TRIM (Targeted Review of Internal Models). Canada OSFI: E-23. Same underlying logic — model risk is a named risk category requiring dedicated governance — but different scope, enforcement mechanism, and emphasis. U.S. G-SIBs face stricter capital requirements than international counterparts operating under Basel alone, creating ongoing competitive parity debate.