01 · § III.B · MODEL RISK LIFECYCLE
Validation, monitoring, documentation, challenge.
Banks should establish a model risk management framework with: independent validation, ongoing monitoring, comprehensive documentation, and effective challenge. Applies to all material models including ML / AI in production decisioning.
SR 11-7 · § III.B (carried forward in SR 26-2)
The phrase model risk management framework is verbatim regulator language from SR 11-7. SR 26-2 carries that framework forward and applies it explicitly to ML and AI agents in production. The supervisor reads the artefact against the four pillars; each pillar maps to a Warrant evidence field. For the pillar-by-pillar reading, see SR 11-7 model risk, read against the AI agent.
"Banks should establish a model risk management framework. The phrase is the spec. Everything else is engineering."SR 11-7 · § III.B · regulator language
02 · FOUR PILLARS
The lifecycle obligations.
§ III.B
Independent validation evidence.
WARRANT · trace.model_validation_record_id (when supplied) binds the validation outcome to the decision artefact, independently verifiable without contacting Warrant.
§ III.B
Ongoing monitoring (champion-challenger, PSI, drift).
WARRANT · trace.model_governance.psi (when supplied) + per-action authorization_envelope.preconditions_met. Live when present.
§ III.B
Comprehensive model documentation.
WARRANT · trace.agent_id + trace.model_id + trace.model_version (immutable in the evidence package). Documentation gap surfaced when version_id absent.
§ III.B
Effective challenge captured.
WARRANT · trace.actions[*].alternative_paths_considered flags decisions where no alternative was logged.
§ III.B
Model inventory maintained.
WARRANT · trace.agent_id + trace.regulated_entity per trace today; cross-trace inventory roll-up ships v0.5, 2026 Q3.
03 · SR 26-2 CARRY-FORWARD
Same framework. Updated for AI.
SR 26-2 supersedes SR 11-7 in 2026 but the four pillars carry forward. The revision adds explicit treatment for ML and large language models in decisioning, references the OCC Comptroller's Handbook for examiner methodology, and confirms that AI agents acting on bank decisions count as material models.
GAO B-331324 is the canonical citation for the original 2011 SR 11-7 letter under Congressional Review Act review. Examiners still cite SR 11-7 by number; SR 26-2 carries the same paragraph references forward. The artefact a supervisor reads is the same shape under either letter.
15yrs
SR 11-7 IN FORCE
Issued 4 April 2011, carried forward by SR 26-2 in 2026. The framework is older than most ML in production banking.
B-331324
GAO REFERENCE
Canonical citation under Congressional Review Act. Used by counsel and regulators as the primary historical reference for SR 11-7.
04 · WHY THIS REGULATOR NOW
What did SR 26-2 change for AI in banking?
SR 26-2 was issued by the Federal Reserve in early 2026 and supersedes SR 11-7 while preserving the four pillars verbatim. The revision adds explicit treatment for ML and large language models in decisioning, references the OCC Comptroller's Handbook for examiner methodology, and confirms that AI agents acting on bank decisions count as material models. The OCC continues to treat SR 11-7 § III.B as the operative test on examination; SR 26-2 is read in tandem.
Recent enforcement signal carries forward from a multi-year base. OCC consent orders against Wells Fargo (multiple, model-risk-related, 2018-2024, totalling over USD 3 billion in civil money penalties across consumer auto, mortgage, and deposit decisioning) cited SR 11-7 § III.B failures repeatedly. The Federal Reserve cease-and-desist order against Citigroup (October 2020, USD 400 million) cited significant ongoing deficiencies in enterprise-wide risk management, including model risk management. Multiple smaller OCC and Fed actions against community banks have followed the same template, with effective-challenge documentation as the most common gap finding.
Prosecutorial interest is moving toward AI agents specifically. The OCC's 2025 semiannual risk perspective named generative AI in lending decisioning as a heightened-risk activity. The Federal Reserve's Supervision and Regulation Letter SR 25-1 (April 2025) on third-party risk management referenced SR 11-7 explicitly when treating model-vendor relationships. The current examination cycle (April 2026 through Q1 2027) is the first to cite SR 26-2 directly in MRA and MRIA findings; counsel reviewing this page in May 2026 should expect that an unmapped AI agent in a material decisioning role is in scope for a §III.B finding on the next examination.
05 · MAPPING · FOUR PILLARS
Per-pillar field map.
Banks should pay particular attention to model uncertainty and inaccuracy and ensure that any uses of model outputs are appropriate, given the limitations of the underlying model. Model risk management should include disciplined and knowledgeable development and implementation processes that are consistent with the situation and goals of the model user and with bank policy.
SR 11-7 · § III.A · introductory framework (carried forward in SR 26-2)
The mapping below carries each of the four pillars and the supervisory expectations that flow from them. Each row names the obligation, the examiner's read, and the Warrant evidence field that satisfies it. This is the table an OCC or Federal Reserve examiner reads against the evidence package on horizontal review.
§ III.B · 1
Independent validation · model methodology, assumptions, limitations.
WARRANT · trace.model_validation_record_id (when supplied) binds the validation outcome to every decision artefact downstream, independently verifiable without contacting Warrant.
§ III.B · 2
Independent validation · ongoing testing as conditions change.
WARRANT · trace.model_governance.psi (when supplied) + drift_indicators per action. Live-validation linkage when validation_record_id is current.
§ III.B · 3
Ongoing monitoring · champion-challenger, PSI, drift, performance metrics.
WARRANT · trace.model_governance.psi + per-action authorization_envelope.preconditions_met. Monitoring outcome attached at action time, not aggregated post-hoc.
§ III.B · 4
Ongoing monitoring · benchmark and back-testing.
WARRANT · trace.backtesting_record_id (when supplied) flags decisions where benchmark metrics absent.
§ III.B · 5
Comprehensive documentation · methodology, data, limitations, validation.
WARRANT · trace.agent_id + trace.model_id + trace.model_version (immutable in the evidence package). Per-decision documentation snapshot resolves to model-card lineage.
§ III.B · 6
Comprehensive documentation · third-party replicability standard.
WARRANT · trace.regulated_entity + trace.policy_version_id. Documentation gap surfaced when version_id absent or detached from active validation.
§ III.B · 7
Effective challenge · objective, qualified, influential.
WARRANT · trace.actions[*].alternative_paths_considered flags decisions where no alternative was logged. Effective-challenge gap is the most common §III.B finding in MRA letters.
§ IV.A
Model inventory · all models in use, planned for use, recently retired.
WARRANT · trace.agent_id + trace.regulated_entity per trace today; cross-trace inventory roll-up ships v0.5, 2026 Q3.
§ V.A
Roles, governance, board oversight.
WARRANT · trace.signed_off_by + the record names the accountable officer's tenant. Senior-officer binding when supplied.
SR 26-2 · AI
AI/ML and large language models in decisioning · explicit material-model classification.
WARRANT · trace.agent_id binds to the AI deployment; trace.model_version captures foundation-model lineage; OCC Comptroller's Handbook treats LLM swaps as new model under § III.B documentation requirement.
SR 25-1
Third-party risk management read with SR 11-7 · vendor model oversight.
WARRANT · trace.regulated_entity (chartered bank) + the record names the vendor or sponsor-bank tenant. The bank's MRM framework reads through to the third-party model via the record.
06 · FAQ
Questions a CRO and OCC examiner ask first.
Does SR 11-7 apply to my firm if i am not a bank holding company?
SR 11-7 binds bank holding companies, state member banks, US branches and agencies of foreign banking organisations, and other supervised institutions. Non-bank lenders and fintech firms outside Federal Reserve supervision are not directly bound, but where a bank partner is the chartered entity (BaaS, sponsor-bank model), the bank's MRM framework reads through to the agent. The supervisor reads the chain irrespective of who deploys the model.
What did SR 26-2 change for AI agents specifically?
SR 26-2 carried the four pillars forward verbatim and added explicit treatment for ML and large language models in decisioning. The revision references the OCC Comptroller's Handbook for examiner methodology and confirms that AI agents acting on bank decisions count as material models. Effective challenge expanded to include alternatives-considered logging at runtime, not just at validation. GAO B-331324 remains the canonical historical reference for the original 2011 letter under Congressional Review Act review.
How do i generate SR 11-7 evidence if my agent runs on the Anthropic API?
Wrap each tool call with the Warrant trace shape (actor, action, subject, inputs, outputs, ts, alternatives_considered, rationale) and POST the JSON to /attest. Warrant produces the evidence package mapped to the four pillars per action: validation reference, monitoring outcome, documentation snapshot, effective-challenge alternatives. Same artefact whether the LLM is Anthropic, OpenAI, or open-source.
What does an OCC examiner pull as 'sufficient documentation' under § III.B?
Sufficient means a third party could replicate the model's purpose, methodology, limitations, and validation outcomes from the documentation alone. The OCC Comptroller's Handbook on model risk treats this as the operative standard. Per-decision documentation snapshots tied to model_version are the lever; aggregated model-card PDFs are necessary but not sufficient. The examiner will pull a specific decision and walk it back to the active validation record.
Are non-bank fintech AI deployments in scope?
Not directly under SR 11-7. But the bank-partner relationship pulls fintechs into the perimeter through the bank's vendor risk management. The Interagency Guidance on Third-Party Relationships (June 2023, Fed/OCC/FDIC) requires the bank to apply MRM-equivalent oversight to third-party models that drive bank decisions. The fintech that wants to scale BaaS deployments treats SR 11-7 evidence as the operative artefact.
What recent enforcement actions reference model risk under SR 11-7?
OCC consent orders against Wells Fargo (multiple, model-risk-related, 2018-2024, totalling over USD 3 billion in civil money penalties) cited SR 11-7 § III.B failures across consumer auto, mortgage, and deposit decisioning. The Federal Reserve cease-and-desist order against Citigroup (October 2020, USD 400 million) cited significant ongoing deficiencies in enterprise-wide risk management, including model risk management. Multiple OCC and Fed actions against community banks have followed the same template, with effective-challenge documentation as the most common gap finding.
WARRANT