U.S. Banking Regulators Reset Model Risk Guidance as Industry Complexity Grows

Key Takeaways

• Shift to Risk-Based Approach: Regulators emphasize that model risk management should be tailored to each bank’s size, complexity, and model usage rather than following rigid, one-size-fits-all rules.
• Principles Over Prescriptive Rules: The guidance outlines sound practices but does not create enforceable requirements, and non-compliance alone will not result in supervisory criticism.
• Full Lifecycle Focus: Banks are expected to manage model risk across development, validation, monitoring, governance, and third-party/vendor models, with an emphasis on ongoing performance and oversight.
• Legacy Frameworks Retired: The OCC and FDIC are rescinding several long-standing model risk guidance documents, including OCC Bulletin 2011-12, signaling a modernization of supervisory expectations.
• AI Left for Future Guidance: Generative and agentic AI models are explicitly out of scope, with regulators planning further consultation on AI-related model risk management.

Deep Dive

U.S. banking regulators have taken a fresh pass at one of the industry’s most foundational risk disciplines, issuing updated guidance on how banks should manage the growing web of models underpinning modern finance.

In a coordinated release, the Office of the Comptroller of the Currency, Federal Reserve Board, and Federal Deposit Insurance Corporation unveiled revised model risk management guidance for supervised institutions. The update replaces a patchwork of earlier issuances, some dating back more than a decade, and reframes expectations around a more flexible, risk-based approach.

The move reflects both the increasing reliance on models across banking operations and a recognition that a one-size-fits-all framework no longer fits an industry defined by wide variation in size, complexity, and technological maturity.

A Principles-Based Turn

Rather than imposing new rules, the agencies are drawing clearer lines around what sound model risk management should look like in practice. The guidance emphasizes that programs should be tailored to a bank’s specific risk profile, with controls and oversight scaled accordingly.

It also makes a notable point about tone. The document does not establish enforceable standards, and non-compliance on its own will not trigger supervisory criticism. That positioning signals a deliberate shift away from prescriptive expectations toward a principles-based framework that gives institutions more room to exercise judgment.

At the same time, the underlying message is hard to miss. Models remain essential to modern banking but they also carry real risk. Poorly designed or misapplied models can lead to financial losses, flawed decision-making, and errors in reporting, making effective oversight a central concern for both banks and regulators .

What “Good” Looks Like

The updated guidance walks through the full lifecycle of model risk management, outlining what regulators consider to be sound practice across several key areas.

It begins with model development and use, stressing that models should be built with a clear purpose and used within understood limitations. From there, it moves to validation and monitoring, where ongoing performance assessment and the ability to detect deterioration over time are critical.

Governance and controls form another cornerstone, with regulators highlighting the importance of defined roles, accountability, and effective oversight structures. The concept of “effective challenge” (independent, expert review of models) features prominently as a way to test assumptions and strengthen reliability.

The guidance also takes a practical view of third-party risk. Vendor-provided models, data, and tools are now a standard part of banking operations, and institutions are expected to validate and monitor those products even when underlying methodologies are not fully transparent.

Tailored Scope, Not Blanket Application

The agencies are explicit about where the guidance is likely to have the most impact. It is expected to be most relevant for banking organizations with more than $30 billion in assets, though smaller institutions are not exempt if their model usage is extensive or complex.

That distinction reinforces the broader theme of proportionality. Not all models carry equal weight, and not all institutions face the same level of exposure. Effective programs, regulators suggest, are those that recognize and adapt to those differences.

At the same time, the guidance acknowledges the limits of its own scope. Generative AI and agentic AI models (technologies that are quickly gaining attention across the industry) are not covered, reflecting their rapid evolution and the uncertainty surrounding how best to govern them.

Clearing Out the Old

Alongside the new framework, regulators are formally retiring several long-standing guidance documents. The OCC is rescinding Bulletin 2011-12, long considered a cornerstone of model risk supervision, along with later issuances tied to BSA/AML systems and credit scoring models. The FDIC is also withdrawing its own related guidance.

The clean break shows how much the modeling landscape has changed since those earlier documents were introduced and how regulators are trying to keep pace.

The agencies have signaled that this update is not the final word. A forthcoming request for information is expected to take a broader look at model risk management, with particular attention to how banks are using artificial intelligence.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.