New Model Risk Management Rules and the Effect on Your Risk and Compliance Program

On April 17, 2026, the FDIC, the Office of the Comptroller of the Currency, and the Board of Governors of the Federal Reserve System jointly issued revised model risk management guidance — the most significant update to this area of banking supervision since SR 11-7 in 2011. The guidance rescinded two prior financial institution letters (FIL-22-2017 and FIL-27-2021) and replaced them with a modernized, principles-based framework built for today's model landscape.

For risk and compliance leaders in banking, the central question is not just what changed — it is whether your current model governance program is designed for the level of rigor and continuity this guidance expects.

What the Agencies Said — And What They Didn't

The revised guidance is deliberately principles-based, not prescriptive. The agencies make clear it does not set forth enforceable standards, and non-compliance will not by itself result in supervisory criticism. But do not mistake flexibility for low expectations. The guidance describes what "sound practice" looks like — and regulators will use that standard in examinations.

Primary scope: Banking organizations with over $30 billion in total assets. However, the guidance also explicitly applies to smaller institutions with "significant exposure to model risk because of the prevalence and complexity of their models."

What is a "model" under this guidance? A complex quantitative method, system, or approach applying statistical, economic, or financial theories to process input data into quantitative estimates. Simple arithmetic, deterministic rule-based processes, and basic software are excluded.

What is NOT in scope: Generative AI and agentic AI models are explicitly excluded in Footnote 3. But — the agencies also state that a bank's "risk management and governance practices should guide the determination of appropriate governance and controls" for these tools. The message: generative AI still must be governed somewhere.

Five Implications for Banking Risk and Compliance Teams

1. Model Inventory Is Now a Baseline Expectation

The guidance calls maintaining a comprehensive model inventory "common industry practice" - language that signals examiner expectations. Your inventory must capture sufficient information to understand model risks at the individual and aggregate level, including dependencies among models, common data sources, and shared assumptions.

This means model inventory management must move beyond spreadsheets. A governed, centralized repository that is searchable, current, and linked to validation status and controls is the foundation of a defensible model risk program.

2. Materiality Drives the Governance Tier

The guidance introduces materiality as the primary lens for governance rigor. Model materiality is a function of two factors:

• Model exposure — the significance of model output to business decisions, measurable by portfolio size or business impact

• Model purpose — whether the model supports regulatory requirements or financial risk management (higher risk) vs. other uses

  
  

High-materiality models warrant "comprehensive and rigorous oversight." Lower-materiality models may be identified and monitored with lighter-touch practices. Risk and compliance leaders must operationalize this tiering in both policy and systems — and document how materiality classifications are made and reviewed.

3. "Effective Challenge" Requires More Than Technical Expertise

“Effective challenge” must be conducted by individuals with three qualities: appropriate expertise, sufficient independence, and organizational standing and influence to effect change. This third element is often where banks fall short.

Internal audit's role is clarified: it should evaluate whether model risk management practices are rigorous and effective, not duplicate development or validation activities. Banks using external resources must maintain proper oversight and integrate that work into the broader program.

4. Ongoing Monitoring Must Track Changing Conditions

The guidance ties ongoing monitoring explicitly to changing conditions: products, exposures, clients, data relevance, and market dynamics. A model that performed well when developed may no longer be fit for purpose in a different rate environment or after a portfolio shift.

This is a clear push toward continuous monitoring rather than calendar-based review cycles. Banks with annual or semi-annual review programs should assess whether that cadence is defensible given their model materiality profile — and whether their monitoring infrastructure can detect performance deterioration in near real time.

5. Vendor Model Validation Is a First-Class Obligation

The guidance devotes an entire section to vendor and third-party models. Even where underlying code, data, or methodology is proprietary, model risk management principles apply. Banks must:

• Develop understanding of vendor model conceptual soundness, design, and development data

• Conduct ongoing monitoring and outcome analysis to assess whether vendor models remain fit for purpose

• Document, justify, and evaluate adjustments made to customize vendor models

For most banking organizations, vendor model risk is a significant and growing gap. The explosion of fintech partnerships, AI-powered credit and fraud models, and third-party BSA/AML systems creates a sprawling inventory of models for which banks are ultimately accountable — even when the vendor retains the underlying IP.

The AI Governance Wildcard

The explicit exclusion of generative AI and agentic AI from this guidance's scope may seem like a reprieve. It is not.

The agencies acknowledge that these technologies are "novel and rapidly evolving” and that governance and controls should still exist, determined by the bank's own risk management practices. If your bank is deploying large language models, AI agents, or generative AI tools in any business process, you need a dedicated AI governance framework that sits alongside — and integrates with — your model risk program.

That framework must address AI inventory management, bias and fairness assessments, transparency in AI decision-making, regulatory compliance mapping (including emerging EU AI Act and domestic frameworks), and explainability for regulators and customers alike.

The gap between "AI is excluded from model risk guidance" and "AI is ungoverned" is exactly where regulatory exposure lives.

How Archer Helps Banking Organizations Meet This Standard

Archer AI Governance delivers an enterprise approach for a model risk management framework with centralized AI inventory management — a comprehensive, categorized repository of AI assets tracked by risk level and application area. Pre-built and customizable assessments help banks evaluate AI models against regulatory requirements. An out-of-the-box controls library promotes ethical AI practices, and transparency tools provide clear documentation of AI decision-making for regulators and stakeholders. Aligned with the EU AI Act, Archer AI Governance also provides flexibility to meet evolving domestic AI frameworks.

Included in the AI Governance approach are specific capabilities to assess unique regulatory requirements and risks around AI and statistical models. The compliance assessment process supports comparison of models against existing regulatory requirements, with comprehensive audit logs and detailed compliance reporting. Data governance capabilities ensure high data quality and integrity — a direct answer to the guidance's emphasis on data quality in model development.

The Bottom Line

The revised interagency model risk guidance signals that regulators expect banking organizations to govern models with a model risk management framework with the rigor proportionate to risk, continuity proportionate to materiality, and documentation sufficient to withstand examination. That is a continuous program, not an annual project. For banks still running model risk management on spreadsheets, manual validation workflows, and periodic review calendars, the gap between current state and examiner expectations is widening. AI-native early adopters are achieving 40–60% reductions in manual compliance costs with payback under three years. The good news: this is a solvable problem. Centralized inventory, risk-based governance tiers, automated monitoring, and integrated AI governance are not aspirational capabilities — they are what Archer customers operate today.

FAQs