US Banking Regulators Revamp Model Risk Management Framework

The landscape of banking and financial services is constantly evolving, driven by rapid technological advancements and a push for greater efficiency and risk mitigation. To address these shifts, the OCC, the Board of Governors of the Federal Reserve System, and the FDIC have issued a revised guidance document on "Principles for Effective Model Risk Management". In this week's blog post, we break down: - How the guidance has shifted - Who it applies to (and who it doesn't) - What it covers (and what it doesn't) - How it addresses modern modeling challenges Read more: https://lnkd.in/eeqiEKgK

As faster payments become the norm, account verification can’t stay stuck in the past. Read how ownership verification is evolving to support speed while strengthening payments risk management: https://bit.ly/4dfmKIG

Most banks aren't ready for SR 26-2. It rescinds SR 11-7 and replaces checkbox compliance with a harder standard: defensible governance on its own terms. Nick Goble breaks down what changed, what's left unsaid, and how to respond — in three parts. Part 1 → https://hubs.ly/Q04dhqBc0

Easing capital rules will require banks to rediscover self-discipline When the formula no longer rewards better risk management, will banks have the discipline to hold capital for their unique operational risks? https://buff.ly/Ua8aHPw #FinTech #FinServ #Banking

Some of the most controlled banks are also the most exposed. Let that sit for a moment. Approvals — in place. Checks — in place. Documentation — in place. Everything looks right. And yet, when something goes wrong, it goes badly wrong. How? Because controls and resilience are not the same thing. Here's what's actually happening beneath the surface: 📋 Controls are duplicated — not designed. Three people approving the same thing. Nobody questioning whether the thing should happen at all. Volume of controls ≠ quality of protection. ✅ The focus is on compliance — not effectiveness. The checklist is complete. The box is ticked. But does anyone ask: is this control actually stopping the risk it was built for? Rarely. 🔍 The real risks are misunderstood. We protect against the risks we've seen before. We document what auditors look for. But the risk quietly building in the gap between two processes? Nobody owns that. This is how you end up with a system that looks strong — but fractures under real pressure. Not because the controls failed. Because they were never solving the right problem. 👉 A bank isn't resilient because it has many controls. It's resilient because it has the right controls — in the right places. The difference between a controlled bank and a resilient bank isn't paperwork. It's understanding. Understanding where risk actually lives. Understanding which controls actually matter. And having the courage to redesign the ones that don't. Compliance gives you coverage. Design gives you protection. Most banks are built for the audit — not for the risk. #riskmanagement

Regulators are pushing banks to prove resilience through simulation. Payments systems are equally critical — but most teams are still using basic API testing tools. 𝐏𝐫𝐮𝐓𝐀𝐍 𝐝𝐨𝐞𝐬 𝐟𝐨𝐫 𝐩𝐚𝐲𝐦𝐞𝐧𝐭𝐬 𝐭𝐞𝐬𝐭𝐢𝐧𝐠 𝐰𝐡𝐚𝐭 𝐝𝐫𝐲-𝐫𝐮𝐧 𝐬𝐢𝐦𝐮𝐥𝐚𝐭𝐢𝐨𝐧𝐬 𝐝𝐨 𝐟𝐨𝐫 𝐛𝐚𝐧𝐤𝐢𝐧𝐠 𝐫𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐜𝐞 — 𝐢𝐭 𝐯𝐚𝐥𝐢𝐝𝐚𝐭𝐞𝐬 𝐫𝐞𝐚𝐥-𝐰𝐨𝐫𝐥𝐝 𝐛𝐞𝐡𝐚𝐯𝐢𝐨𝐫 𝐛𝐞𝐟𝐨𝐫𝐞 𝐟𝐚𝐢𝐥𝐮𝐫𝐞 𝐡𝐚𝐩𝐩𝐞𝐧𝐬. https://lnkd.in/egS2jy2M

Bye Bye SR 11-7 | Welcome SR 26-2 With the issuance of updated guidelines by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation on 17 April 2026, the legacy SR 11-7 framework has now been formally superseded by SR 26-2. While the new guidance builds on the foundational principles of SR 11-7, there are some key unique points to consider: 1. Empowered Validation Function: The expectation has evolved from challenging models to also driving remediation and enhancements with the organizational standing and influence to effect any change. 2. Focus on Risk-Based Model Management: The guidelines bring much-needed clarity to proportionality in MRM by anchoring it on two key pillars: a) Model Exposure - Quantifiable impact (e.g., portfolio size, financial implications) b) Model Purpose - Qualitative importance in decision-making Together, these define model materiality, reinforcing that not all models should be governed equally, but all should be governed appropriately. 3. Special consideration for Vendor Models: A strong acknowledgment of the “black-box” challenge. The guidance emphasizes that reliance on third-party models does not dilute accountability. Institutions are now expected to: a) Demonstrate deep conceptual understanding b) Assess design, data, and performance rigorously c) Critically evaluate and document any customization Thus, SR 26-2 comes with sharper expectations, stronger accountability, and a clear push toward maturity in model governance. https://lnkd.in/gW5cPm_6 #ModelRisk #SR117 #SR262 #RiskManagement #Banking #Analytics #Governance #Regulation #IFRS9

💡Over 25 uses of the word 'may' in 12 pages! Perhaps more subjectivity, but not less accountability! While it 'may' 😄 appear third-party model risk flexibility is back, please do not confuse Fridays rescission and revision as a 180-degree shift. Continue to 'right size' bank vendors, align due diligence with actual risk, and document the 'why' of the technology partnership.💡https://lnkd.in/eQYwP-U3

FinCEN published a proposed rule today that would overhaul AML/CFT program requirements for every BSA-covered financial institution. The press release reads like recycled AMLA 2020 talking points, but the actual rule text does a few things that haven’t been done before. - It requires federal banking regulators to give FinCEN 30 days’ written notice before taking significant AML/CFT supervisory action. FinCEN reviews the action and the underlying information. Examiners will think differently about escalation when they know FinCEN might push back. - It codifies risk assessment as an explicit regulatory requirement for banks, broker-dealers, mutual funds, casinos, MSBs, and FCMs/IBCs. Examiners have treated this as mandatory for years without it actually being expressly required. This rule would finally put the legal text where the expectation has been for years. - It makes responsible AI adoption a mitigating factor in enforcement decisions. When deciding whether to pursue action against a bank, FinCEN’s Director would consider whether the bank employs AI that demonstrates program effectiveness. - FinCEN also acknowledged that SR 11-7 model risk management principles may be “overly burdensome and ill-fitted” for AML models. If that results in a carve-out, the governance overhead for adopting ML-based detection tools drops. - It raises the enforcement threshold for implementation failures. Today, a bank can face formal supervisory action for an isolated missed SAR or a documentation gap, even if the program itself is properly designed. Under this rule, regulators can only take significant action for “significant or systemic” failures in implementation. One-off gaps don’t qualify. This is still a proposed rule. Realistic timeline to finalization is 12-24 months, with the OCC, Fed, FDIC, and NCUA issuing parallel rules. If this Treasury team wants it done, they need to finish before the next election cycle. The rule rewards institutions that can prove their programs work. It does very little for institutions that can’t. https://lnkd.in/eb7-8auv