REGULATOR · US FED · MODEL RISK MANAGEMENT
UPDATED 2026-06-10 · SR 26-2 (2026-04-17) SUPERSEDES SR 11-7 · § III.B

SR 26-2 / SR 11-7.

Warrant is regulator-grade evidence infrastructure for AI agents in regulated industries: drop an agent's execution trace, get a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant. SR 26-2 (17 April 2026, OCC Bulletin 2026-13) is the current Federal Reserve / OCC / FDIC interagency guidance on model risk management; it supersedes and replaces SR 11-7 (2011) and SR 21-8, principles-based and risk-tailored, most relevant to banks above USD 30 billion in assets · jurisdiction: US banks under Fed, OCC, FDIC supervision · penalty: MRA / MRIA, civil money penalties, supervisory action. Banks must run a model risk management framework: independent validation, ongoing monitoring, comprehensive documentation, and effective challenge.

CLAUSE
§ III.B
Model risk management lifecycle, all material decision models.
CURRENT GUIDANCE
SR 26-2 · 2026-04-17
Supersedes SR 11-7 (2011) and SR 21-8. OCC Bulletin 2026-13 companion.
SUPERVISORS
Fed · OCC · FDIC
Joint guidance, enforced under examinations.
01 · § III.B · MODEL RISK LIFECYCLE

Validation, monitoring, documentation, challenge.

Banks should establish a model risk management framework with: independent validation, ongoing monitoring, comprehensive documentation, and effective challenge. Applies to all material models including ML / AI in production decisioning. SR 11-7 · § III.B (the discipline SR 26-2 carries into its 2026 restatement)

The phrase model risk management framework is regulator language SR 11-7 established. SR 26-2 (17 April 2026) is the current guidance: it supersedes SR 11-7, restates the discipline as principles-based and risk-tailored, and applies it explicitly to ML and AI agents in production. The supervisor reads the artefact against the four pillars; each pillar maps to a Warrant evidence field. For the pillar-by-pillar reading, see SR 26-2 / SR 11-7 model risk, read against the AI agent.

"Banks should establish a model risk management framework. The phrase is the spec. Everything else is engineering."SR 11-7 · § III.B · regulator language
02 · FOUR PILLARS

The lifecycle obligations.

§ III.B
Independent validation evidence. WARRANT · trace.model_validation_record_id (when supplied) binds the validation outcome to the decision artefact, independently verifiable without contacting Warrant.
§ III.B
Ongoing monitoring (champion-challenger, PSI, drift). WARRANT · trace.model_governance.psi (when supplied) + per-action authorization_envelope.preconditions_met. Live when present.
§ III.B
Comprehensive model documentation. WARRANT · trace.agent_id + trace.model_id + trace.model_version (immutable in the evidence package). Documentation gap surfaced when version_id absent.
§ III.B
Effective challenge captured. WARRANT · trace.actions[*].alternative_paths_considered flags decisions where no alternative was logged.
§ III.B
Model inventory maintained. WARRANT · trace.agent_id + trace.regulated_entity per trace today; cross-trace inventory roll-up ships v0.5, 2026 Q3.
03 · SR 26-2 SUPERSESSION

The current guidance. Tailored for AI.

SR 26-2 was issued jointly by the Federal Reserve, OCC, and FDIC on 17 April 2026 (OCC Bulletin 2026-13) as the Revised Guidance on Model Risk Management. It supersedes and replaces SR 11-7 (2011) and SR 21-8. The four-pillar discipline carries forward, but SR 26-2 restates it as principles-based and risk-tailored rather than prescriptive, and reads as most relevant to banks above USD 30 billion in assets. The revision adds explicit treatment for ML and large language models in decisioning, references the OCC Comptroller's Handbook for examiner methodology, and confirms that AI agents acting on bank decisions count as material models.

GAO B-331324 is the canonical citation for the 2011 SR 11-7 letter under Congressional Review Act review. Counsel still trace the lineage by number; SR 26-2 carries the same paragraph references into its restatement. The artefact a supervisor reads is the same shape under the current guidance.

2026-04-17
SR 26-2 CURRENT
Issued 17 April 2026 by Fed / OCC / FDIC. Supersedes SR 11-7 (2011) and SR 21-8; principles-based, banks above USD 30B in assets.
B-331324
GAO REFERENCE
Canonical citation under Congressional Review Act. Used by counsel and regulators as the primary historical reference for the SR 11-7 lineage.
04 · WHY THIS REGULATOR NOW

What did SR 26-2 change for AI in banking?

SR 26-2 was issued on 17 April 2026 and supersedes SR 11-7 and SR 21-8 while carrying the four-pillar discipline into a principles-based, risk-tailored restatement. The revision adds explicit treatment for ML and large language models in decisioning, references the OCC Comptroller's Handbook for examiner methodology, and confirms that AI agents acting on bank decisions count as material models. Examiners read § III.B as the operative test; the four pillars SR 11-7 named are the lineage SR 26-2 now applies.

Recent enforcement signal carries forward from a multi-year base. OCC consent orders against Wells Fargo (multiple, model-risk-related, 2018-2024, totalling over USD 3 billion in civil money penalties across consumer auto, mortgage, and deposit decisioning) cited SR 11-7 § III.B failures repeatedly. The Federal Reserve cease-and-desist order against Citigroup (October 2020, USD 400 million) cited significant ongoing deficiencies in enterprise-wide risk management, including model risk management. Multiple smaller OCC and Fed actions against community banks have followed the same template, with effective-challenge documentation as the most common gap finding.

Prosecutorial interest is moving toward AI agents specifically. The OCC's 2025 semiannual risk perspective named generative AI in lending decisioning as a heightened-risk activity. The Federal Reserve's Supervision and Regulation Letter SR 25-1 (April 2025) on third-party risk management referenced SR 11-7 explicitly when treating model-vendor relationships. The current examination cycle (April 2026 through Q1 2027) is the first to cite SR 26-2 directly in MRA and MRIA findings; counsel reviewing this page in May 2026 should expect that an unmapped AI agent in a material decisioning role is in scope for a §III.B finding on the next examination.

05 · MAPPING · FOUR PILLARS

Per-pillar field map.

Banks should pay particular attention to model uncertainty and inaccuracy and ensure that any uses of model outputs are appropriate, given the limitations of the underlying model. Model risk management should include disciplined and knowledgeable development and implementation processes that are consistent with the situation and goals of the model user and with bank policy. SR 11-7 · § III.A · introductory framework (carried into SR 26-2's 2026 restatement)

The mapping below carries each of the four pillars and the supervisory expectations that flow from them. Each row names the obligation, the examiner's read, and the Warrant evidence field that satisfies it. This is the table an OCC or Federal Reserve examiner reads against the evidence package on horizontal review.

§ III.B · 1
Independent validation · model methodology, assumptions, limitations. WARRANT · trace.model_validation_record_id (when supplied) binds the validation outcome to every decision artefact downstream, independently verifiable without contacting Warrant.
§ III.B · 2
Independent validation · ongoing testing as conditions change. WARRANT · trace.model_governance.psi (when supplied) + drift_indicators per action. Live-validation linkage when validation_record_id is current.
§ III.B · 3
Ongoing monitoring · champion-challenger, PSI, drift, performance metrics. WARRANT · trace.model_governance.psi + per-action authorization_envelope.preconditions_met. Monitoring outcome attached at action time, not aggregated post-hoc.
§ III.B · 4
Ongoing monitoring · benchmark and back-testing. WARRANT · trace.backtesting_record_id (when supplied) flags decisions where benchmark metrics absent.
§ III.B · 5
Comprehensive documentation · methodology, data, limitations, validation. WARRANT · trace.agent_id + trace.model_id + trace.model_version (immutable in the evidence package). Per-decision documentation snapshot resolves to model-card lineage.
§ III.B · 6
Comprehensive documentation · third-party replicability standard. WARRANT · trace.regulated_entity + trace.policy_version_id. Documentation gap surfaced when version_id absent or detached from active validation.
§ III.B · 7
Effective challenge · objective, qualified, influential. WARRANT · trace.actions[*].alternative_paths_considered flags decisions where no alternative was logged. Effective-challenge gap is the most common §III.B finding in MRA letters.
§ IV.A
Model inventory · all models in use, planned for use, recently retired. WARRANT · trace.agent_id + trace.regulated_entity per trace today; cross-trace inventory roll-up ships v0.5, 2026 Q3.
§ V.A
Roles, governance, board oversight. WARRANT · trace.signed_off_by + the record names the accountable officer's tenant. Senior-officer binding when supplied.
SR 26-2 · AI
AI/ML and large language models in decisioning · explicit material-model classification. WARRANT · trace.agent_id binds to the AI deployment; trace.model_version captures foundation-model lineage; OCC Comptroller's Handbook treats LLM swaps as new model under § III.B documentation requirement.
SR 25-1
Third-party risk management read with SR 11-7 · vendor model oversight. WARRANT · trace.regulated_entity (chartered bank) + the record names the vendor or sponsor-bank tenant. The bank's MRM framework reads through to the third-party model via the record.
06 · FAQ

Questions a CRO and OCC examiner ask first.

Does SR 11-7 apply to my firm if i am not a bank holding company?

SR 11-7 binds bank holding companies, state member banks, US branches and agencies of foreign banking organisations, and other supervised institutions. Non-bank lenders and fintech firms outside Federal Reserve supervision are not directly bound, but where a bank partner is the chartered entity (BaaS, sponsor-bank model), the bank's MRM framework reads through to the agent. The supervisor reads the chain irrespective of who deploys the model.

What did SR 26-2 change for AI agents specifically?

SR 26-2, issued 17 April 2026 (OCC Bulletin 2026-13), supersedes and replaces SR 11-7 (2011) and SR 21-8. It carries the four-pillar discipline into a principles-based, risk-tailored restatement, most relevant to banks above USD 30 billion in assets, and adds explicit treatment for ML and large language models in decisioning. The revision references the OCC Comptroller's Handbook for examiner methodology and confirms that AI agents acting on bank decisions count as material models. Effective challenge expanded to include alternatives-considered logging at runtime, not just at validation. GAO B-331324 remains the canonical historical reference for the 2011 letter under Congressional Review Act review.

How do i generate SR 11-7 evidence if my agent runs on the Anthropic API?

Wrap each tool call with the Warrant trace shape (actor, action, subject, inputs, outputs, ts, alternatives_considered, rationale) and POST the JSON to /attest. Warrant produces the evidence package mapped to the four pillars per action: validation reference, monitoring outcome, documentation snapshot, effective-challenge alternatives. Same artefact whether the LLM is Anthropic, OpenAI, or open-source.

What does an OCC examiner pull as 'sufficient documentation' under § III.B?

Sufficient means a third party could replicate the model's purpose, methodology, limitations, and validation outcomes from the documentation alone. The OCC Comptroller's Handbook on model risk treats this as the operative standard. Per-decision documentation snapshots tied to model_version are the lever; aggregated model-card PDFs are necessary but not sufficient. The examiner will pull a specific decision and walk it back to the active validation record.

Are non-bank fintech AI deployments in scope?

Not directly under SR 11-7. But the bank-partner relationship pulls fintechs into the perimeter through the bank's vendor risk management. The Interagency Guidance on Third-Party Relationships (June 2023, Fed/OCC/FDIC) requires the bank to apply MRM-equivalent oversight to third-party models that drive bank decisions. The fintech that wants to scale BaaS deployments treats SR 11-7 evidence as the operative artefact.

What recent enforcement actions reference model risk under SR 11-7?

OCC consent orders against Wells Fargo (multiple, model-risk-related, 2018-2024, totalling over USD 3 billion in civil money penalties) cited SR 11-7 § III.B failures across consumer auto, mortgage, and deposit decisioning. The Federal Reserve cease-and-desist order against Citigroup (October 2020, USD 400 million) cited significant ongoing deficiencies in enterprise-wide risk management, including model risk management. Multiple OCC and Fed actions against community banks have followed the same template, with effective-challenge documentation as the most common gap finding.

07 · READ THE SOURCE

Primary citations.

The current Federal Reserve guidance is SR 26-2 (17 April 2026) at federalreserve.gov/supervisionreg/srletters/SR2602.htm, with the OCC companion at OCC Bulletin 2026-13. It supersedes the predecessor SR 11-7 (2011) at sr1107.htm. The full Supervision and Regulation Letters archive is at srletters.htm. GAO B-331324 is at gao.gov/products/b-331324. The OCC Comptroller's Handbook (model risk supervision) is at occ.gov/publications-and-resources.

W
Sample US evidence package · Northcentral Trust Bank small-business underwriting agentINDEPENDENTLY VERIFIABLE · ID 041f2335488dd56f
→ us-fintech.pdf
Verify a package → Open the demo All regulators