← Security Frontier 🕐 4 min read
Security Frontier

SR 26-2: What the 2026 Model Risk Management Update Actually Changed — and What It Left Out

Brandon Sneider · May 2026

⚠️ **UPDATE NOTE:** This file supersedes the SR 11-7 framing in `sr11-7-ai-model-risk-management.md` for institutions with >$30B in assets.

See also (wiki): model-risk-management · agentic-ai-governance · ai-vendor-contracts

⚠️ UPDATE NOTE: This file supersedes the SR 11-7 framing in sr11-7-ai-model-risk-management.md for institutions with >$30B in assets. SR 26-2 was issued April 17, 2026, jointly by the Federal Reserve, OCC (Bulletin 2026-13), and FDIC. SR 11-7 (2011) is now rescinded for in-scope institutions.

Vendor caveat: None — this is primary regulatory guidance from federal banking regulators. Credibility rating: TIER 1 — Federal Reserve Supervisory Letter SR 26-2, OCC Bulletin 2026-13, FDIC joint issuance, April 17, 2026.

Executive Summary

  • SR 26-2 replaces SR 11-7 (2011) as the primary model risk management framework for US banks. Primary applicability: institutions with >$30B in total assets. Issued April 17, 2026.
  • Generative AI and agentic AI are explicitly excluded from scope. The guidance states they “are novel and rapidly evolving” and “not within its scope.” A separate RFI on AI/GenAI in banking is planned.
  • Six substantive changes from SR 11-7: narrower institutional scope, tighter model definition requiring all three criteria, risk-based (not annual) monitoring, permissive non-binding language, redefined validator independence, and explicit AI governance carve-out.
  • The materiality framework is the key operational change: exposure + purpose determines validation depth, not a uniform annual cycle.
  • For community banks (<$30B): not enforceable, won’t trigger supervisory criticism — but the OCC notes smaller banks with significant model complexity may still face informal expectations.

What Changed from SR 11-7

Dimension SR 11-7 (2011) SR 26-2 (2026)
Applicability All Fed/OCC/FDIC supervised institutions Primary: >$30B assets; limited application to smaller banks
Model definition Broad — captured “most quantitative tools” Tighter — requires all three: complex quantitative method + theoretical underpinning + quantitative output
Validation frequency De facto annual cycle Materiality-driven frequency (no prescribed interval)
Language Prescriptive Permissive (“sound practice”) — non-binding
Validator independence Organizational separation from development team Review quality and objectivity over org separation
GenAI / Agentic AI Not addressed (written in 2011) Explicitly excluded — separate framework forthcoming
Rescinded prior guidance N/A Rescinds SR 11-7, SR 21-8, OCC 2011-12, 2021 BSA/AML model risk statement

The GenAI / Agentic AI Carve-Out: What It Means

The most consequential sentence in SR 26-2 for AI practitioners: “Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance.”

What this does NOT mean:

  • It does not mean generative and agentic AI are unregulated.
  • It does not mean examiners will ignore GenAI risk at your institution.
  • It does not mean existing enterprise risk management frameworks (operational risk, third-party risk, consumer compliance) stop applying.

What it does mean:

  • There is currently no specific federal model risk supervisory framework for LLMs, RAG systems, or AI agents in banking.
  • The existing SR 11-7 validation apparatus — conceptual soundness, back-testing, outcomes analysis — does not map cleanly to generative systems and regulators have acknowledged this.
  • A formal Request for Information (RFI) on AI/GenAI governance in banking is expected. Until it arrives, institutions are expected to apply existing risk management principles with appropriate judgment.

The practical implication: Banks deploying GenAI face a governance vacuum at the federal MRM level. The safest interim posture is applying SR 26-2 principles (materiality, independent review, ongoing monitoring) to GenAI voluntarily, documented as internal policy, while awaiting the RFI and subsequent guidance.

Cross-reference: FINRA’s 2026 Annual Regulatory Oversight Report (Dec 2025) takes a parallel position for broker-dealers — requiring governance frameworks for GenAI but leaving specifics to firm-level policy. The regulatory posture across banking and securities is consistent: require governance, defer specifics.

The Materiality Framework

The core operational change in SR 26-2 is replacing the annual validation presumption with a materiality-driven framework. Four drivers determine model materiality:

  1. Inherent risk — complexity of the modeling approach, degree of judgment involved
  2. Exposure — financial footprint; how large is the portfolio or decision volume affected
  3. Purpose — decision weight; is the model the primary driver or one input among many
  4. Use — operational context; customer-facing vs. internal; regulatory capital vs. operational efficiency

High-materiality models get deep validation, frequent monitoring, senior sign-off. Low-materiality models get proportionate oversight. The institution sets the materiality thresholds; examiners assess whether the thresholds are reasonable and consistently applied.

For CIOs and risk officers: The materiality framework creates an opportunity to right-size validation burdens on low-risk models — but also creates an obligation to formally classify all models. Institutions that have never maintained a complete model inventory face the same first question from examiners under SR 26-2 as under SR 11-7.

What Stays the Same

The three-pillar validation framework is retained, less prescriptively:

  1. Conceptual soundness — sound theory, tested methodology, rigorous data quality
  2. Outcomes analysis — back-testing, benchmarking, sensitivity analysis
  3. Ongoing monitoring — performance tracking, alerts, periodic review

Third-party model governance remains the institution’s responsibility. “We bought it from a vendor” remains an insufficient defense — SR 26-2 carries forward the expectation of contractual validation rights and documented oversight.

Applicability Summary

Institution Type SR 26-2 Applicability
>$30B assets (Fed/OCC/FDIC regulated) Primary scope — full expectations apply
<$30B assets with complex model portfolios Limited application — not enforceable but informal expectations if model risk is significant
Community banks (<$30B, simple models) Guidance available as reference; not supervisory requirement
Credit unions (NCUA regulated) Not in scope — NCUA model guidance covers interest rate risk only (gap documented in GAO-25-107197)
Broker-dealers (FINRA regulated) Not in scope — FINRA 2026 ROI governs separately

Sources

Source Details Tier
Federal Reserve SR 26-2 (Apr 17, 2026) Joint issuance with OCC and FDIC; supersedes SR 11-7 TIER 1
OCC Bulletin 2026-13 (Apr 17, 2026) OCC equivalent of SR 26-2; same joint guidance TIER 1
FDIC Press Release (Apr 17, 2026) FDIC joint issuance confirmation TIER 1
GAO-25-107197 (May 2025) Documents NCUA model risk gap TIER 1
FINRA 2026 Annual Regulatory Oversight Report (Dec 2025) Parallel GenAI governance posture for broker-dealers TIER 1