The US banking industry has always been one of the most heavily governed sectors in the economy. But the arrival of machine learning models in credit underwriting, fraud detection, and customer risk scoring has created a compliance challenge that existing frameworks were never quite designed to handle.
Regulators have not been idle. The Federal Reserve’s SR 11-7 guidance, the OCC’s model risk management standards, fair lending statutes like ECOA and the Fair Housing Act, and a growing body of interagency statements have together formed a de facto AI governance framework for financial institutions. It predates the term “AI governance” by more than a decade, and understanding it is now a baseline requirement for anyone working at the intersection of financial services and machine learning.
This article maps that regulatory landscape in full: what each framework requires, where the gaps are, and how the most regulated institutions in the country are building governance programs that satisfy examiners without killing innovation.
What SR 11-7 Actually Requires And Why It Now Governs AI
In April 2011, the Federal Reserve Board and the Office of the Comptroller of the Currency jointly issued Supervisory Guidance on Model Risk Management. The document is known universally as SR 11-7. The FDIC adopted it in 2017. For over a decade, it has defined what sound model governance looks like for US banks.
SR 11-7’s definition of a “model” is deliberately broad: any quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories to process input data into quantitative estimates. Machine learning algorithms, neural networks, and large language models used in decision-making pipelines meet that definition without ambiguity. The Federal Reserve’s Vice Chair for Supervision confirmed as much in 2023, stating that firms using newer AI techniques are expected to comply with existing model risk management expectations.
The guidance establishes three foundational requirements that have become the backbone of AI governance in banking:
Model development and use standards. Models must be built on sound methodology, tested against intended purpose, and used only within the scope of their design. A credit scoring model validated for prime borrowers cannot be silently extended to subprime populations without revalidation.
Independent model validation. Validation must be performed by staff or functions separate from those who developed and use the model. The validation framework requires three core elements: evaluation of conceptual soundness (including development evidence), ongoing monitoring (comparing outputs to actual outcomes), and outcomes analysis (back-testing against real results). Third-party and vendor models are explicitly included.
Governance and controls. SR 11-7 expects a formal model inventory, clear documentation, defined roles and responsibilities, and board-level or senior management oversight of model risk. The sophistication of the governance function should scale with the extent and complexity of model usage.
What makes SR 11-7 particularly relevant to AI governance is its risk-based framing. Model risk increases with complexity, uncertainty, breadth of use, and potential impact. Modern AI systems score high on all four dimensions, which means regulators expect governance intensity to match.
The OCC’s Revised Model Risk Management Guidance (2026)
In April 2026, the OCC, Federal Reserve, and FDIC jointly issued updated interagency model risk management guidance, formally rescinding OCC Bulletin 2011-12 and SR 11-7 for banks covered by the new document. The revised guidance maintains the principles of its predecessor while introducing a more explicit risk-based approach.
Several clarifications are significant for AI governance practitioners:
The updated guidance makes explicit that a bank’s model risk management sophistication should align with its size, complexity, and risk profile. Community banks under $30 billion in total assets are not expected to apply the same intensity as the nation’s largest institutions. A separate clarification bulletin (OCC Bulletin 2025-26) specifically notes that community banks are not required to perform annual model validation.
Generative AI and agentic AI systems are explicitly carved out of scope in the current revision, with the agencies noting these technologies are “novel and rapidly evolving.” A request for information specifically addressing generative AI in banking is planned as a follow-on action, a signal that additional guidance is coming rather than that these systems escape oversight.
The vendor and third-party provisions are strengthened. Banks using AI models provided by fintechs, cloud providers, or AI platform vendors remain responsible for understanding those models sufficiently to validate them and manage their risks. What the revised guidance makes clear, above all, is that model risk management is not a compliance checkbox. It is a substantive risk discipline, and regulators expect banks to treat it as one.
Fair Lending and Algorithmic Discrimination: The ECOA and FHA Challenge
Model risk management governs how AI systems are built and validated. Fair lending law governs what they are allowed to do, or more precisely, what they cannot do.
The Equal Credit Opportunity Act (ECOA) and the Fair Housing Act (FHA) prohibit discrimination based on race, color, religion, national origin, sex, marital status, age, and other protected characteristics in credit decisions. The Consumer Financial Protection Bureau and the Department of Justice have enforcement authority. So does OCC in its examination of supervised institutions.
AI systems create three distinct fair lending risk vectors:
Disparate treatment occurs when a model uses a protected characteristic as an input, directly or as a proxy. Many ML models will identify zip code, surname patterns, or device type as predictive features that can serve as proxies for race or national origin without being labeled as such.
Disparate impact arises when a facially neutral model produces outcomes that disproportionately disadvantage protected classes, without business necessity justifying the disparity. Regulators expect banks to conduct regular disparity testing across protected classes, and OCC has explicitly stated plans to assess how banks manage bias in AI models.
Adverse action notification requirements create a third challenge unique to complex AI. ECOA requires lenders to provide specific reasons for adverse credit decisions. CFPB issued circulars in May 2022 and September 2023 clarifying that the obligation to provide specific, principal reasons for adverse action applies regardless of whether an AI model was used. Explainability is not optional, it is a legal requirement.
The practical implication: banks using AI in credit decisions need explainability mechanisms that satisfy both the business need for predictive accuracy and the legal need for interpretable adverse action reasons. SHAP values, LIME explanations, and feature importance outputs are increasingly used for this purpose, though regulators have not yet issued specific guidance on which methods are acceptable.
Building an AI Model Inventory: The Foundation of Compliance
Before a bank can govern its AI systems, it has to know what they have. Model inventory management is foundational to everything else, and it is one of the areas where examiners most commonly find gaps.
A sound model inventory for AI governance purposes captures, at minimum:
- The model’s purpose and the decisions it supports, including its risk profile and regulatory implications
- Data inputs, including any sensitive or potentially proxy-generating features, documented at the feature level
- Validation status and schedule, with frequency proportional to model risk rating
- The model risk rating itself, assigned based on materiality, complexity, and potential impact
- Third-party model status, with documentation of vendor validation and due diligence
- Business owner and model risk officer responsible for governance at both first and second-line levels
A bank that cannot produce a complete, current model inventory during an examination is already at a disadvantage. Most large institutions have invested in dedicated model risk management platforms. For mid-size institutions, this remains a common gap.
US Banking AI Regulatory Framework at a Glance
Regulation/Guidance | Issuing Authority | Primary AI Governance Requirements |
SR 11-7 / 2026 Interagency Guidance | Federal Reserve, OCC, FDIC | Model definition, independent validation, governance & controls, documentation, model inventory |
ECOA / Regulation B | CFPB, DOJ, OCC | Fair lending compliance, adverse action notices, disparate impact testing, prohibited bases |
Fair Housing Act | HUD, DOJ | Discrimination prohibition in credit and housing, disparate impact liability |
BSA/AML AI Statement (2021) | Federal Reserve, FDIC, OCC | Model risk management for transaction monitoring AI, performance monitoring, validation |
Third-Party Risk Mgmt (2023) | Federal Reserve, OCC, FDIC | Due diligence, contractual protections, ongoing oversight of vendor AI models |
OCC Bulletin 2025-26 | OCC | Community bank scaling: proportionate MRM requirements for smaller institutions |
Model Validation for AI: What Examiners Actually Look For
Model validation is the technical core of SR 11-7 compliance. For traditional statistical models, the methodology is well-established. For machine learning models, particularly gradient boosting ensembles, deep learning networks, and transformer-based systems, standard validation approaches require adaptation.
Examiners conducting model risk reviews for AI systems tend to focus on several specific areas:
Conceptual soundness. Does the modeling approach make sense for the stated purpose? Is the training data representative of the intended use population? For credit models, regulators ask whether training populations reflect the prospective borrower population, since a model trained on approved loans only, without adjustment for selection bias, will systematically underperform.
Benchmarking and challenger models. SR 11-7 expects validators to compare model performance against alternative approaches. For AI models, this typically means building a simpler challenger model, often logistic regression, and demonstrating that the complexity of the primary model is justified by meaningful performance improvement.
Stability testing. Model performance should be tested across different time periods, economic conditions, and borrower segments. A model that performs well in normal credit conditions but degrades significantly during stress should be flagged for more intensive monitoring.
Bias and fairness testing. This is increasingly a standard component of AI model validation in banking. Validators test model outputs across protected class segments, identify disparate impact, and document findings. Where disparities are found, the bank needs a documented process for determining business justification or required model changes.
Ongoing monitoring. Initial validation is not enough. Banks are expected to monitor model performance over time, with defined thresholds that trigger review or redevelopment. Model drift, the gradual degradation of predictive performance as real-world conditions diverge from training data, is a specific area of examiner interest.
Third-Party AI Risk and the Fintech Partnership Challenge
A substantial and growing portion of AI used in banking is not built in-house. Banks rely on fintechs, cloud AI platforms, and specialized model vendors for fraud detection, credit scoring, AML monitoring, and customer analytics. This creates a governance challenge that regulators have specifically addressed.
SR 11-7 is explicit: banks are responsible for the risk management of all models used in their operations, including those developed and maintained by third parties. The OCC’s Third-Party Risk Management guidance, updated via interagency guidance in 2023, requires banks to conduct due diligence on vendors, establish contractual protections, and maintain ongoing oversight.
For AI models specifically, this creates practical tensions. Vendors of proprietary AI systems often cannot or will not share the full details of their model architecture, training data, or internal validation results. Banks are caught between regulatory expectations of comprehensive validation and commercial realities of limited access.
Examiners have shown awareness of this challenge. Banks that use proprietary AI are expected to compensate through rigorous output testing, performance monitoring, and contractual protections that include the right to audit and the right to receive validation documentation.
The Explainability Imperative: Regulatory and Legal Drivers
Explainability has moved from an academic ML research topic to a regulatory requirement in US banking. The legal driver is primarily ECOA’s adverse action notice requirement. The supervisory driver is SR 11-7’s emphasis on understanding model behavior. The two reinforce each other.
Banks using AI in consumer credit decisions must be able to provide the principal reasons for adverse action in plain language. Regulators have accepted feature importance-based explanations as a practical approach, but they expect banks to validate that the explanations produced are accurate representations of the model’s actual decision drivers, not just approximations that look reasonable.
Explainability requirements create a genuine tension with model performance. More complex models are often more accurate, but their internal workings are harder to explain. Many banks have responded by maintaining two-model architectures: a high-performance black-box model for risk segmentation and a simpler, interpretable model for adverse action reasons. Regulators have not formally endorsed this approach, and it carries its own risks.
The CFPB’s position has been consistent: the complexity of the technology does not reduce the legal obligation to explain decisions. Banks that cannot satisfy this requirement face both examination findings and potential enforcement exposure.
BSA/AML and AI: A Separate But Overlapping Framework
Anti-money laundering compliance represents one of the most significant AI use cases in banking, and one with its own regulatory overlay. Transaction monitoring systems have long used rules-based approaches. Many banks are replacing or supplementing these with ML-based systems that improve detection rates and reduce false positive rates.
In April 2021, the Federal Reserve, FDIC, and OCC issued an interagency statement specifically addressing model risk management for AI and ML systems supporting BSA/AML compliance. The statement confirmed that SR 11-7 principles apply to these systems, while acknowledging that BSA/AML models have distinctive characteristics, particularly the challenge of validating models where the “ground truth” of actual money laundering is difficult to label.
FinCEN has separately encouraged innovation in this space through its Innovation Initiative and engagement with the BSA Advisory Group on AI. The regulatory posture on BSA/AML AI is relatively supportive of adoption, with the understanding that banks apply the same model risk management rigor they would to any other model.
Governance Structure: What the Board and C-Suite Need to Own
Effective AI governance in banking is not a technology function. It is a risk governance function with technology dimensions. That distinction matters for how institutions organize their oversight.
SR 11-7 and the OCC’s guidance both require senior management and board-level oversight of model risk. For AI specifically, this translates into several organizational elements that examiners look for:
- A defined model risk appetite, approved at the board or senior management level, establishing the institution’s tolerance for model-driven errors and the thresholds that trigger escalation or model suspension.
- A model risk committee or equivalent governance body with authority to approve, restrict, or retire models, including representation from first line, second line, compliance, legal, and technology functions.
- A Chief Model Risk Officer or equivalent function with organizational independence from business lines that rely on models. Independence is a specific SR 11-7 requirement.
- Clear policies covering the full model lifecycle: development, approval, deployment, monitoring, redevelopment, and retirement. Gaps in the retirement process are a common examiner finding.
- Documentation standards that scale with model risk rating, with high-risk models requiring comprehensive developmental evidence documentation.
Practical Compliance Gaps: What Examiners Find Most Often
Based on publicly available examination findings, enforcement actions, and regulatory guidance, certain patterns in AI governance gaps recur consistently across US financial institutions:
Incomplete model inventories. Banks that have grown through acquisition or have rapid technology adoption often have models in production not captured in the formal inventory. Examiners have found shadow models performing decision-support functions without any governance oversight.
Insufficient validation of vendor models. Many banks perform only superficial due diligence on third-party AI. Output testing without access to model internals may not constitute sufficient validation, particularly for high-risk decision applications.
Inadequate fair lending testing. OCC’s 2024 examination findings noted that many banks provided limited documentation of their efforts to evaluate bias in AI models. The gap is particularly pronounced for models acquired from third parties.
Explainability gaps in adverse action processes. Some banks are still operating with adverse action processes designed for scorecard models that do not translate to the ML systems that have replaced them.
Stale model validations. Models that were validated at implementation but have not been revalidated as the economic environment and customer population have changed. Monitoring reports that flag performance degradation but do not trigger formal revalidation.
Frequently Asked Questions
Does SR 11-7 apply to all AI models, including generative AI?
SR 11-7 and the 2026 interagency revision apply to models meeting the regulatory definition of quantitative methods that process inputs into quantitative outputs used in decisions. Most traditional ML models used in banking clearly meet this definition. Generative AI and agentic AI systems are specifically noted as outside the scope of the current 2026 guidance, with additional guidance planned. Banks deploying these systems should still apply model risk management principles consistent with the underlying risk.
What is the difference between model risk management and AI governance?
Model risk management addresses the risk that a model produces inaccurate outputs or is misused. AI governance is a broader concept encompassing ethics, fairness, transparency, accountability, and strategic oversight. In banking, MRM is the regulatory floor. AI governance adds the organizational and ethical dimensions that MRM does not fully address.
How should banks handle AI models acquired through fintech partnerships?
Banks are responsible for all models used in their operations, regardless of source. For fintech-acquired AI, banks should conduct due diligence proportional to model risk, obtain contractual rights to validation documentation and performance data, conduct independent output testing, and monitor performance on an ongoing basis. Where vendor transparency is limited, compensating controls and more intensive output monitoring are expected.
What explainability methods satisfy ECOA adverse action requirements?
Regulators have not endorsed a specific technical approach. Feature importance methods such as SHAP values are widely used and generally accepted in examination practice, provided the bank can demonstrate the explanation accurately reflects the model’s actual decision drivers. Banks should document their methodology, validate the explanation accuracy, and ensure plain-language reasons provided to consumers are derived from actual model outputs.
How do fair lending testing requirements apply to AI models?
Fair lending testing for AI models should include disparity analysis across protected class segments, testing for proxy variables in model inputs, and review of outcomes across geographic areas and demographic groups. Testing should occur at model development, before deployment, and on an ongoing basis after deployment. Where disparities are identified, banks must assess business necessity or require model changes.
What model risk management requirements apply to community banks?
The 2026 interagency guidance is primarily designed for banks with over $30 billion in total assets. OCC Bulletin 2025-26 specifically clarifies that community banks are not required to perform annual model validation and that requirements should be proportionate to the bank’s size and complexity. Community banks using AI in consumer credit decisions remain subject to fair lending requirements and basic model documentation expectations.
How should banks govern AI models used for BSA/AML compliance?
The 2021 interagency statement confirmed that SR 11-7 principles apply to BSA/AML AI systems. Key governance elements include model validation with performance benchmarking, documentation of detection logic, ongoing monitoring of false positive and false negative rates, and independent validation by staff not involved in model development or daily operation.
Conclusion
AI governance in US banking is not a future regulatory horizon. It is the present operating environment, defined by SR 11-7, OCC model risk management standards, ECOA and FHA fair lending requirements, and a growing body of interagency guidance that continues to evolve.
The most effective programs treat these requirements not as compliance exercises but as genuine risk management disciplines. A bank that validates its credit models rigorously, tests its AI for disparate impact consistently, and maintains a comprehensive model inventory is not just satisfying examiners, it is reducing the actual risk that its AI systems will produce wrong, discriminatory, or unexplainable decisions.
The regulatory gap that matters most right now is the one around generative AI and large language models in banking. The 2026 guidance explicitly deferred this question. Financial institutions deploying these systems for customer service, internal analytics, or decision support are operating ahead of formal regulatory expectations. Getting governance right before examiners arrive is the right approach.
For professionals building AI governance programs in financial services, GAICC’s certifications in AI governance and management systems provide the structured framework to lead these programs effectively across the full regulatory landscape.
