Revised Guide on Model Risk Management

OCC, FRB and FDIC

The U.S. federal banking supervisory agencies, the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), and the Federal Deposit Insurance Corporation (FDIC), have issued guidance on model risk management (MRM), replacing the 2011 framework. The guidance reflects evolving expectations shaped by supervisory experience, industry feedback, and technological advances in modeling practices. While preserving the core foundations of the model risk management framework, it introduces a more explicit risk-based, proportional, and non-prescriptive approach across key areas, including scope, materiality, validation, governance, and third-party models.


Revised Guide on Model Risk Management

Watch video

Executive Summary

The revised model risk management (MRM) guidance preserves the core architecture of Supervisory Letter (SR) 11-7 while recalibrating its supervisory approach. It explicitly clarifies its non-binding nature and highlights its particular relevance for banking organizations with more than $30 billion in assets. The guidance also formalizes a taxonomy of model risk based on inherent risk, exposure, purpose, and use, and refines the definition of a “model” to focus on complex quantitative methods, excluding simple arithmetic calculations and rule-based deterministic processes. In addition, the guidance retains the three traditional components of validation, introduces a more flexible approach to organizational independence, and strengthens expectations for the oversight of vendors and other third-party models. Finally, it explicitly excludes generative artificial intelligence (AI) and agentic AI from its scope.

Main Content

The technical note is structured around the following key sections:

  • Purpose and scope. The revised guidance clarifies model risk management principles, introduces a more explicit risk-based and institution-specific approach, and narrows the definition of a model through a clearer perimeter.
  • Overview of model risk and its management. The guidance introduces an explicit taxonomy of model risk and defines materiality based on exposure and model purpose, while giving more prominence to aggregate risk.
  • Model development and use. The revised text places greater emphasis on defining the model’s purpose, incorporating user input, and ensuring proportionality of testing throughout the development lifecycle.
  • Validation and monitoring. The three components of validation are maintained, but the guidance places greater emphasis on the quality and effectiveness of the review than on strict organizational independence.
  • Governance and controls. Governance expectations continue to rely on policies, controls, roles, inventory, and documentation, with a more flexible approach to the role of internal audit.
  • Vendors and other third-party products. A dedicated section confirms that model risk management principles continue to apply to third-party products, even when institutions have limited access to the underlying code, data, or methodology.

Download the technical note on the Revised guide on model risk management