Model Risk Management Framework: The Bank Compliance Guide for 2026

Every bank uses models. Every bank that uses models takes on model risk. And after April 2026, every bank above $30 billion in assets is operating under a materially updated model risk management framework — one that replaced the 15-year-old SR 11-7 guidance with something more flexible, more proportional, and significantly more demanding on governance structure.

The practical question for financial technology leaders is not whether to build a model risk management framework — regulators settled that debate long ago. The question is whether your current framework can survive the scrutiny of revised interagency guidance that now expects risk-based proportionality, dynamic monitoring, and airtight documentation at every stage of a model's life.

This guide covers the four pillars of an effective MRM framework, what SR 26-2 changed, and the specific actions that separate defensible programs from ones that generate findings.

What Changed in April 2026: SR 26-2 Replaces SR 11-7

On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued SR 26-2, the first comprehensive update to model risk management guidance since SR 11-7 was published in 2011. The new guidance rescinds SR 11-7 and SR 21-8 and introduces three critical shifts:

1. Risk-based proportionality over prescriptive rules. Annual revalidation cycles are out. Validation frequency is now a function of materiality, change velocity, and data availability. High-exposure models warrant more frequent review; lower-risk tools can operate on longer, well-documented cycles.
2. Model materiality as the organizing principle. SR 26-2 ties oversight intensity to two factors: model exposure (how significantly model outputs drive decisions, measured by portfolio size or business impact) and model purpose (whether the model supports regulatory requirements or financial risk management). The combination determines tier and therefore resource allocation.
3. Explicit triggers for re-review. Rather than calendar-driven schedules, SR 26-2 requires banks to define and document the conditions that will trigger a model re-validation — changes in underlying data, significant shifts in model performance, material changes to use cases, or new regulatory requirements.

One notable carve-out: generative and agentic AI are explicitly placed outside SR 26-2's scope. The agencies acknowledge these tools are novel and rapidly evolving and have signaled separate guidance is forthcoming. For teams managing AI model risk today, the agentic AI and SR 11-7 gap analysis is required reading.

The Four Pillars of a Sound MRM Framework

1. Model Inventory

A defensible model risk program starts with a governed, centralized inventory. If you cannot enumerate your models — including shadow models, Excel-based tools meeting the definition of a model, and vendor-supplied models — you cannot manage their risk.

What the inventory must contain:

• Model ID, name, version, and owner
• Business line and intended use
• Tier designation (materiality level)
• Development and implementation dates
• Validation status and scheduled re-review date
• Dependent processes and downstream decision chains
• Applicable regulatory guidance (SR 26-2, CECL, fair lending, etc.)

The inventory is not a static spreadsheet. It is a living system that requires a defined update cadence, an owner accountable for completeness, and a clear process for onboarding new models — including ad hoc tools that grow into material decision-support systems over time.

For banks also managing data governance programs, the model inventory should connect directly to data governance infrastructure — particularly lineage tracking and data quality controls that feed model inputs.

2. Model Development and Documentation

SR 26-2 maintains a core principle from SR 11-7: documentation must be comprehensive enough to allow a knowledgeable third party to understand, replicate, and evaluate the model without relying on the original developer.

Minimum documentation standards include:

• Conceptual framework and theoretical basis
• Data sources, selection criteria, and preprocessing steps
• Model assumptions and their justification
• Testing methodology and results (in-sample and out-of-sample)
• Known limitations and conditions under which the model may perform poorly
• Approval record and sign-off chain

For vendor models, the documentation burden does not disappear — it shifts. Banks must document how vendor tools were customized, justify those customizations, and integrate vendor model performance into their own validation processes. "The vendor validated it" is not a sufficient control.

3. Independent Validation

Validation is the mechanism through which banks confirm that models do what they are supposed to do and are being used as intended. SR 26-2 reaffirms three core validation elements, carried forward from SR 11-7:

• Conceptual soundness — Do the model's assumptions and theoretical foundations hold up under scrutiny?
• Ongoing monitoring — Is the model performing within acceptable bounds as conditions evolve?
• Outcomes analysis — Are model predictions matching actual results? Where they are not, why not?

Independence is non-negotiable. Validators must be free from the business pressure of the teams that built and use the models. For smaller institutions where strict organizational separation is difficult, compensating controls — detailed validation protocols, documented challenges, and external review for high-tier models — must be clearly established and consistently applied.

See our complete SR 11-7 and SR 26-2 implementation guide for a deeper treatment of validation program design.

4. Ongoing Monitoring

Ongoing monitoring is where many programs fail. Validation events capture a model's performance at a point in time. Monitoring is what happens in between — and it is what tells you whether a model is drifting before it generates a material error or a regulatory finding.

Effective ongoing monitoring includes:

• Performance thresholds with defined tolerance bands
• Automated alerts when outputs deviate from expected distributions
• Regular back-testing against realized outcomes
• Data quality checks confirming input integrity
• Documentation of exceptions, root cause analyses, and remediation steps

SR 26-2 is explicit that monitoring intensity should match model materiality. High-tier models warrant continuous or near-continuous monitoring with documented escalation paths. Lower-tier models may use periodic reviews, provided the review cycle and methodology are documented and justified.

Governance: The Structure That Makes It All Work

No MRM framework functions without governance. The board sets policy and is ultimately accountable. Senior management translates policy into operational standards. Model Risk Management (or equivalent function) maintains the inventory, coordinates validation, and reports to the board on aggregate model risk exposure.

Three governance controls that distinguish strong programs:

1. A model risk appetite statement that defines acceptable levels of model exposure and is reviewed annually alongside the inventory.
2. A model risk committee (or equivalent forum) with representation from technology, finance, risk, and compliance that reviews tier assignments, escalations, and remediation progress.
3. Issue tracking with teeth — findings from validations must be assigned an owner, a remediation timeline, and a mechanism for escalation if they remain open past due dates.

For institutions building or rebuilding their MRM function, the FS AI Risk Management Framework playbook provides a 90-day structured implementation path.

Three Actionable Takeaways for 2026

1. Audit your model inventory against SR 26-2's materiality criteria. Tier every model by exposure and purpose. If you don't know which models are high-tier, you cannot allocate validation resources appropriately — and you cannot demonstrate to examiners that you've made rational risk-based decisions.
2. Define re-validation triggers, not just schedules. Replace calendar-driven validation cycles with documented trigger conditions: data changes, performance drift, use-case expansions, regulatory changes. This is what SR 26-2 expects and what modern model governance actually requires.
3. Close the vendor model documentation gap. For every third-party model in use, document the customization decisions and integrate vendor performance data into your ongoing monitoring program. Vendor accountability does not replace internal accountability.

Key Takeaways

• SR 26-2 (April 2026) replaced SR 11-7, shifting from prescriptive annual revalidation to a risk-based, materiality-driven approach to model oversight.
• The four pillars of an effective MRM framework are: model inventory, model development and documentation, independent validation, and ongoing monitoring.
• Model materiality — driven by exposure and purpose — determines validation frequency, documentation depth, and monitoring intensity.
• Generative and agentic AI are outside SR 26-2's scope; separate guidance is expected.
• Vendor models require internal documentation and validation integration — the vendor's own validation is not sufficient.
• Governance structure (board policy, model risk committee, issue tracking) is the connective tissue that makes the four pillars operational.

The Risk Dispatch covers model risk management, AI governance, and regulatory compliance for financial services technology leaders. For questions or corrections, contact the editorial team.