All terms
Model risk & compliance

SR 11-7

Model Risk Management

Definition

Joint Federal Reserve and OCC supervisory guidance, issued April 4, 2011 (and adopted by the FDIC via FIL-22-2017 in June 2017), defining how US banks must govern model risk across the full lifecycle of a model — from development, implementation, and use through validation, deployment, and ongoing monitoring.

SR 11-7 organizes model risk management around three reinforcing activities: model development, implementation, and use (conceptual soundness of the model, appropriateness of the data, rigor of testing, and operation in production); model validation through “effective challenge” — evaluation of conceptual soundness, ongoing monitoring (including process verification and benchmarking), and outcomes analysis including back-testing; and governance, policies, and controls (a comprehensive model inventory with named owners, change-management policy, and decommissioning triggers). The guidance was issued jointly as Federal Reserve SR 11-7 and OCC Bulletin 2011-12 on April 4, 2011[1]Jump to source 1 in the sources list[3]Jump to source 3 in the sources list, and adopted by the FDIC via FIL-22-2017 in June 2017[4]Jump to source 4 in the sources list, making it the de facto US standard for any depository institution whose model risk eventually reaches a federal examiner.

For machine learning models, SR 11-7 applies in full. The guidance defines a model as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates”[2]Jump to source 2 in the sources list— a gradient-boosted tree used for credit underwriting is a model under that definition; so is a neural network used for fraud detection. The OCC’s 2021 Comptroller’s Handbook update on model risk management explicitly reinforces ML applicability and deepens supervisory expectations for vendor and third-party models[7]Jump to source 7 in the sources list. Practically, examiners expect reproducible training pipelines, versioned feature definitions, documented data lineage, performance metrics on out-of-time samples, and a monitoring plan with explicit refresh triggers. Documentation that “exists somewhere” is not the same as documentation produced as a deliverable of the model build, and the difference is what usually delays a model from leaving validation.

The three pillars

PillarWhat examiners expect
Model development, implementation, and useDocumented theory and methodology; appropriate, quality-checked data with lineage; rigorous developmental testing across train, validation, and out-of-time samples; clear statement of assumptions and limitations; controlled implementation and disciplined production use.
Model validationIndependent “effective challenge” covering conceptual soundness, ongoing monitoring (process verification, benchmarking, sensitivity analysis), and outcomes analysis (including back-testing). Validators are functionally independent of developers and users[2]Jump to source 2 in the sources list.
Governance, policies, and controlsComprehensive model inventory with named ownership, policies for approval and change management, ongoing monitoring with explicit refresh and decommissioning triggers, and clear board-and-senior-management accountability.

On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued SR 26-2 / OCC Bulletin 2026-13 (“Revised Guidance on Model Risk Management”), which supersedes and replaces SR 11-7 and SR 21-8[5]Jump to source 5 in the sources list[6]Jump to source 6 in the sources list. The revised guidance is most directly applicable to banking organizations with more than $30 billion in total assets and emphasizes a risk-based, materiality-tiered oversight regime. Generative AI and agentic AI are explicitly excluded from scope, pending a forthcoming interagency request for information. Its core principles — sound development, independent effective challenge, and governance — carry forward unchanged from SR 11-7, so teams that already operate to those principles will recognize most of what is asked of them. Smaller institutions continue to look to SR 11-7 (and SR 21-8[8]Jump to source 8 in the sources list for BSA/AML model risk) as the operative framework until further interagency action.

Fair-lending overlay for ML credit models

SR 11-7 itself is silent on fair lending; that overlay comes from ECOA, Regulation B, and CFPB Circulars 2022-03[9]Jump to source 9 in the sources list and 2023-03[10]Jump to source 10 in the sources list, which clarify that adverse-action notification requirements apply fully to credit decisions made by “complex algorithms” including ML and AI. The reproducibility, lineage, and explainability that SR 11-7 expects at the model level are exactly what make ECOA-compliant adverse-action notices feasible at the application level. Many institutions also reference the NIST AI Risk Management Framework[11]Jump to source 11 in the sources list as a cross-sector complement to MRM.

Sources

  1. [1]SR 11-7: Guidance on Model Risk Management Board of Governors of the Federal Reserve System, April 4, 2011 (retrieved 2026-05-15)
  2. [2]SR 11-7 Attachment: Supervisory Guidance on Model Risk Management (PDF) Board of Governors of the Federal Reserve System, April 4, 2011 (retrieved 2026-05-15)
    A model is a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.
  3. [3]OCC Bulletin 2011-12: Sound Practices for Model Risk Management Office of the Comptroller of the Currency, April 4, 2011 (retrieved 2026-05-15)
  4. [4]FDIC FIL-22-2017: Adoption of Supervisory Guidance on Model Risk Management Federal Deposit Insurance Corporation, June 7, 2017 (retrieved 2026-05-15)
  5. [5]SR 26-2: Revised Guidance on Model Risk Management Board of Governors of the Federal Reserve System, April 17, 2026 (retrieved 2026-05-15)
  6. [6]OCC Bulletin 2026-13: Model Risk Management — Revised Guidance Office of the Comptroller of the Currency, April 17, 2026 (retrieved 2026-05-15)
  7. [7]OCC Bulletin 2021-39: Model Risk Management — New Comptroller's Handbook Booklet Office of the Comptroller of the Currency, August 18, 2021 (retrieved 2026-05-15)
  8. [8]SR 21-8: Interagency Statement on Model Risk Management for BSA/AML Compliance Federal Reserve, FDIC, OCC, NCUA, FinCEN, April 9, 2021 (retrieved 2026-05-15)
  9. [9]CFPB Circular 2022-03: Adverse action notification requirements in connection with credit decisions based on complex algorithms Consumer Financial Protection Bureau, May 26, 2022 (retrieved 2026-05-15)
  10. [10]CFPB Circular 2023-03: Adverse action notification requirements and the proper use of the CFPB's sample forms in Regulation B Consumer Financial Protection Bureau, September 2023 (retrieved 2026-05-15)
  11. [11]NIST AI 100-1: Artificial Intelligence Risk Management Framework (AI RMF 1.0) National Institute of Standards and Technology, January 26, 2023 (retrieved 2026-05-15)

See also