US banking agencies replace model-risk guidance with risk-based supervisory framework
Bank model-risk teams must remap governance, validation and vendor controls to the revised supervisory baseline
- — Model risk management teams at banking organizations with over $30 billion in assets must map existing model-development, validation, monitoring, governance and control practices against the revised risk-based supervisory guidance — unsafe or unsound practices or legal violations stemming from insufficient model-risk management can still trigger supervisory action.
- — Bank governance and control owners using vendor or third-party model products must document how those products are validated, monitored and controlled under the revised guidance — the agencies identify third-party products as part of the model-risk management framework.
- — Risk owners for generative and agentic AI models at banking organizations must keep those models outside the revised guidance scope and define separate governance and control coverage under internal risk-management practices — the agencies explicitly excluded those AI model types from this guidance.
- — Model risk management teams at banking organizations with over $30 billion in assets
- — Bank governance and control owners responsible for vendor or third-party model products
- — Risk owners for generative and agentic AI models at banking organizations
- — OCC, Federal Reserve and FDIC examining personnel using model-risk supervisory guidance
- — Issued: 2026-04-17 — revised interagency Supervisory Guidance on Model Risk Management
- — Rescinded: OCC Bulletin 2011-12, OCC Bulletin 2021-19, OCC Bulletin 1997-24 and the OCC Model Risk Management booklet
- — Next agency action: planned request for information on model risk management and banks’ use of AI, including generative and agentic AI
Reading more than one change? A free account gives you a monthly quota, saved history, and daily catch-up. Pro gives unlimited full briefs, Clarify, and real-time alerts.