On April 17, 2026, the OCC, Federal Reserve, and FDIC issued updated interagency Model Risk Management (MRM) guidance, formally rescinding prior guidance dating back to SR 11-7 and related agency issuances. For many community banks, the announcement raised a familiar concern: Does this mean new requirements, more validation, or expanded examiner expectations?
The short answer is no. In fact, much of the updated guidance is intended to reset expectations, particularly for community banks, and to reaffirm a risk based, proportionate approach that had often been lost in practice.
Why the Agencies Updated the Guidance
The agencies point to several developments since the original 2011 guidance:
- Increased reliance on models across banking activities
- Greater use of vendor provided tools
- Advances in analytics and non-generative AI
- Ongoing supervisory experience and industry feedback
Importantly, the update is framed as a clarification and modernization, not a rulemaking. The guidance explicitly states it does not establish enforceable standards or prescriptive requirements, and noncompliance alone will not result in supervisory criticism.
Applicability to Community Banks
Although the guidance technically applies to all banks, the agencies are explicit about where it is expected to be most relevant:
- Primarily institutions over $30 billion in total assets
- Community banks only where model risk is significant due to complexity, volume, or non-traditional activities
For most community banks, models remain limited in number and complexity, and existing internal governance and controls may already be sufficient. This point is reinforced repeatedly across the interagency guidance and the OCC’s companion issuances.
OCC’s Clarification: A Critical Message for Community Banks
Well before the April 2026 update, the OCC addressed a long-standing problem: misinterpretation of model risk guidance as prescriptive for community banks.
In its clarification bulletin, the OCC emphasized:
- Annual model validation is not required
- Validation frequency and scope should be risk based
- Examiners will not criticize banks solely for choosing less frequent or less extensive validation where reasonable
This clarification remains fully applicable under the revised guidance and is directly referenced by the OCC in its 2026 bulletin. In other words, the OCC is intentionally reining in over application of large bank MRM concepts to community institutions.
What’s Actually New in the 2026 Guidance
While much of the guidance will feel familiar, several areas deserve attention:
1. Reframed Definition of a “Model”
The guidance reiterates that a model refers to complex quantitative methods grounded in statistical, economic, or financial theory. It explicitly excludes:
- Simple spreadsheets
- Deterministic rule-based tools
- Software without quantitative theory underpinning
This clarification is particularly helpful for community banks concerned that every calculation tool might be swept into their model inventory.
2. Model Materiality as the Central Lens
Rather than focusing on labels, the guidance emphasizes model materiality, driven by:
- Model exposure (financial or business impact)
- Model purpose (regulatory, risk management, decision making)
- Inherent risk (assumptions, complexity, inputs)
Immaterial models may warrant limited oversight, while higher impact models require greater rigor—again reinforcing proportionality.
3. Validation and Monitoring — Emphasis on Judgment
Validation remains a core element, but the guidance is clear:
- Rigor should match risk
- Timing and frequency vary by model
- Interim controls may be appropriate when validation is incomplete
- Outcomes analysis and monitoring are as important as point in time testing
For community banks, this supports targeted validation rather than full scope exercises for every model.
4. Vendor and Third-Party Models
The guidance acknowledges practical limitations with vendor models, including proprietary constraints. Banks are expected to:
- Understand model design and limitations
- Perform outcome analysis and monitoring
- Document and justify overlays or adjustments
What is not required is access to source code or full redevelopment of vendor models.
What About AI?
While the guidance discusses non-generative, non-agentic AI models, it explicitly states that generative and agentic AI are out of scope. The agencies note that future guidance or requests for information may address AI more fully, but for now, community banks should focus on applying existing risk management principles where relevant.
Practical Takeaways for Community Banks
For most community banks, the updated guidance should be viewed as an opportunity to right size, not rebuild, model risk management. Practical steps include:
- Confirming which tools truly meet the definition of a model
- Tiering models by materiality
- Reassessing validation frequency and scope based on actual risk
- Ensuring governance and documentation are clear and defensible
- Aligning practices with OCC’s explicit proportionality messaging
Perhaps most importantly, banks should feel empowered to exercise reasonable judgment, supported by documentation, rather than defaulting to large bank practices out of caution.
Bottom Line
The 2026 interagency update is less about raising the bar and more about resetting expectations. For community banks, it reinforces what regulators have been saying, now more clearly and consistently, for several years: model risk management should be commensurate with risk, not institution size.
Banks that take a measured, thoughtful approach aligned with their actual model usage are well positioned under the revised guidance.
If you have any questions or are interested in learning more, we are here to help. Please do not hesitate to reach out to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.
