On April 17, 2026, the Federal Reserve, OCC, and FDIC quietly retired the rulebook that has governed bank model risk management for 15 years. SR 11-7 is gone — replaced by SR 26-2 — and every technology and compliance leader at a U.S. bank needs to understand what changed before their next examination cycle.
SR 26-2 is not a cosmetic update. The interagency guidance replaces the prescriptive, checklist-driven framework that most MRM programs were built around with a principles-based, materiality-first approach. Annual revalidation cycles are out. Rigid organizational structures are out. In their place: judgment, risk-proportionate governance, and aggregate model risk thinking. For banks that built compliance programs around the SR 11-7 playbook, this shift requires a genuine reassessment — not a find-and-replace of document headers.
What SR 26-2 Changes — and What It Keeps
The new guidance preserves the core pillars of sound model risk management: model development and implementation, independent validation, and governance. Regulators did not throw out the architecture — they changed how rigorously each pillar must be applied, and to which models.
What's gone: The de facto annual revalidation cycle that SR 11-7 implied across all model tiers is explicitly retired. Under SR 26-2, validation frequency is a function of materiality, change velocity, and data availability — with specific triggers for re-review rather than a calendar-based default. Banks that conducted perfunctory annual reviews on low-risk models to stay "compliant" can redirect that effort toward models that actually warrant it.
What's new: SR 26-2 introduces a formal materiality construct. Model materiality is defined as the combination of model exposure (the dollar significance of decisions the model drives) and model purpose (whether it serves a regulatory or internal decision-support function), modulated by inherent risk. High-materiality models — think regulatory capital, DFAST stress testing, BSA/AML transaction monitoring — receive intensive governance. Low-materiality models are maintained in inventory with lightweight controls, provided the bank has a mechanism to detect when materiality changes.
What's narrowed: The definition of "model" itself is tightened. SR 26-2 explicitly excludes simple arithmetic calculations, spreadsheets, and deterministic rule-based processes. The definition now requires the system to apply statistical, economic, or financial theory to qualify as a model. This is operationally significant: many institutions have been managing spreadsheet-based tools and basic rules engines under full SR 11-7 governance overhead. That overhead can now be formally reduced.
Model Inventory and Tiering: The Immediate Work
The first practical implication of SR 26-2 is a re-tiering exercise. The guidance expects a comprehensive model inventory that supports risk management at both the individual and aggregate level — and that inventory must now be organized around materiality rather than model type or business line.
Industry analysis suggests that banks running a full re-tiering exercise should expect 10 to 30 percent of legacy models to shift tier, mostly downward, with upward adjustments concentrated in regulatory reporting, BSA/AML, and AI/ML models used in credit decisioning. BSA/AML models — transaction monitoring, sanctions screening, and customer due diligence systems — are now explicitly inventoried and tiered alongside all other models under SR 26-2, absorbing the prior BSA/AML interagency statement that is also superseded.
For technology leaders, this creates a concrete near-term action: audit your model inventory against the new materiality framework. Models that previously warranted annual validation cycles may now qualify for lighter-touch ongoing monitoring. Models powering credit, capital, or regulatory outputs need to be stress-tested against the new aggregate risk requirements.
Aggregate Model Risk: The Requirement Most Banks Are Unprepared For
The most operationally demanding addition in SR 26-2 is the explicit mandate for aggregate risk assessment. Banks are now required to evaluate dependencies and common assumptions across multiple models simultaneously — not just validate each model in isolation.
This matters most in three scenarios: when multiple models share the same upstream data feed, when models in a chain feed outputs into subsequent models, and when correlated override logic creates compound failure modes. A credit scoring model and a fraud detection model that both depend on the same bureau data, for example, carry correlated risk that individual validation would miss entirely.
Building aggregate risk visibility typically requires governance tooling that links models in inventory, maps shared dependencies, and surfaces correlated assumptions. Most MRM programs built under SR 11-7 do not have this infrastructure. SR 26-2 makes it a supervisory expectation.
AI and Generative AI: What SR 26-2 Does and Does Not Cover
SR 26-2 applies to AI and machine learning models that meet the updated model definition — and for predictive AI, the inventory requirements are more demanding. The guidance expects banks to identify upstream data feeds, shared calibration logic, and correlated override points for AI models specifically, acknowledging that these systems create dependency structures that traditional statistical models do not.
Generative AI and agentic AI systems are explicitly placed outside the scope of SR 26-2, with regulators noting that additional guidance is forthcoming. This does not mean those systems are unregulated — the guidance instructs banks to apply existing model risk management principles consistent with the underlying risk. In practice, this means institutions deploying LLMs or agentic AI workflows in customer-facing or decision-support contexts should be building governance frameworks now, before formal guidance arrives. For context on how SR 11-7's principles apply to agentic systems, see Agentic AI in Banking: Applying the SR 11-7 Framework.
What Supervisory Scrutiny Actually Looks Like Under SR 26-2
SR 26-2 is non-binding on its face — it does not set enforceable standards, and non-compliance will not on its own result in supervisory criticism. But that framing understates the real stakes. Examiners and auditors treat the guidance as the standard for sound practice. When weak model risk management contributes to unsafe or unsound outcomes — a credit loss, a regulatory capital miscalculation, a BSA/AML failure — the absence of SR 26-2-aligned governance will be cited.
The shift from prescriptive to principles-based also changes the examination dynamic in a way compliance teams need to understand. Under SR 11-7, a bank could point to a completed annual validation checklist and demonstrate compliance. Under SR 26-2, examiners will ask how the bank determined what level of validation was appropriate — and whether that judgment was defensible given the model's materiality. The burden shifts from documentation to reasoning.
The guidance is expected to be most directly applied to banking organizations with more than $30 billion in assets regulated by the Federal Reserve, OCC, or FDIC. Mid-size and regional institutions should expect the principles to inform examinations proportionately, with supervisory expectations calibrated to their model risk profile.
Three Actions MRM Leaders Should Take Now
1. Conduct a materiality re-tiering of your model inventory. Map every model against the new materiality construct — exposure, purpose, and inherent risk. Expect 10 to 30 percent of your inventory to shift tier. Document the reasoning. This is the foundation SR 26-2 governance is built on, and it is what examiners will ask to see first.
2. Build aggregate risk visibility into your governance infrastructure. Identify models that share upstream data, feed into each other's outputs, or carry correlated assumption sets. If your current tooling treats every model as an island, SR 26-2's aggregate risk requirement is an immediate gap. The investment in dependency mapping pays dividends beyond compliance — it reduces operational risk in model changes and infrastructure migrations.
3. Audit your validation frequency and triggers against the new framework. Replace calendar-based review schedules with risk-based triggers tied to materiality, change velocity, and data drift. High-materiality models should have defined re-review triggers — significant performance degradation, input data changes, underlying assumptions invalidated by market events. Low-materiality models should have monitoring that detects when materiality changes. If you need a broader implementation timeline framework, the 90-day AI RMF roadmap for bank technology leaders offers a practical sequencing approach that maps directly to these priorities.
Key Takeaways
- SR 11-7 was officially replaced by SR 26-2 on April 17, 2026 — a joint Federal Reserve, OCC, and FDIC issuance that fundamentally changes the model risk management framework for U.S. banks.
- Annual revalidation cycles are eliminated. Validation frequency is now determined by model materiality, change velocity, and data availability — not the calendar.
- SR 26-2 introduces a formal materiality construct combining model exposure and model purpose; governance rigor must be calibrated to materiality tier, not applied uniformly.
- Aggregate model risk assessment is a new explicit requirement — banks must evaluate dependencies and correlated assumptions across models, not just validate in isolation.
- Generative AI and agentic AI are out of scope for SR 26-2, but banks are instructed to apply model risk principles to those systems while formal guidance is developed.
- The burden of proof under SR 26-2 shifts from checklist documentation to defensible judgment — examiners will ask why a governance level was chosen, not just whether a box was checked.