The landscape of banking and financial services is constantly evolving, driven by rapid technological advancements and a push for greater efficiency and risk mitigation. To address these shifts, the OCC, the Board of Governors of the Federal Reserve System, and the FDIC have issued a revised guidance document on "Principles for Effective Model Risk Management".
Whether you are a risk manager, a compliance officer, or a banking executive, understanding the nuances of this revised framework is critical. Here is a breakdown of what the guidance entails, who it applies to, and how it addresses modern modeling challenges.
Past vs. Present: What’s Different?
While the agencies explicitly label this as "revised" guidance, the document itself focuses on clarifying principles rather than providing a redline of changes from past iterations. The revisions were prompted by supervisory experience, industry feedback, and—crucially—technological advancements in modeling over recent years.
The most glaring modern update is the explicit exclusion of Generative AI and agentic AI models[i]. The guidance notes that these novel and rapidly evolving technologies fall completely outside the scope of this document, though traditional statistical, quantitative, and non-generative AI models remain covered.
Similarly, the guidance adopts a highly tailored, risk-based approach. It explicitly states that this guidance is most relevant to banking organizations with over $30 billion in total assets, implicitly acknowledging that smaller institutions typically have internal practices already scaled to their size.
What Actually Counts as a "Model"?
Not every calculation requires a massive governance structure. Under the revised guidance, a "model" is strictly defined as a complex quantitative method, system, or approach that uses statistical, economic, or financial theories to process input data into quantitative estimates.
What is excluded?
- Simple arithmetic calculations (like those in standard spreadsheets).
- Deterministic, rule-based processes or software lacking underlying statistical or economic theories.
- Generative AI and agentic AI.
The Core Principle: Materiality dictates the Rigor
A major theme of the guidance is that not all models present the same level of risk. The rigor of your model risk management must be commensurate with a model's materiality, which is determined by two factors:
- Model Exposure: The significance of the model's output to business decisions (e.g., the size of the portfolio it affects).
- Model Purpose: What the model is used for. Models used to manage financial risk exposures or meet regulatory requirements carry inherently greater risk.
If a bank deems a model "immaterial," it may simply monitor its performance rather than conducting a full, rigorous validation. However, highly material models demand comprehensive oversight.
Pillars of Effective Model Validation
When validation is required, it generally must occur before a model is first used, unless an urgent business need forces a temporary exception with strict controls. The guidance outlines several key components of a robust validation process:
- Effective Challenge: Validation isn't a rubber stamp. It requires "effective challenge"—critical analysis by objective experts who have the technical know-how, independence, and organizational influence to effect change.
- Conceptual Soundness: Validators must rigorously assess model design, key assumptions, data selection, and qualitative judgments.
- Outcomes Analysis: A model's theoretical design doesn't matter if its real-world application fails. Banks must compare model outputs to real-world outcomes using tools like back-testing or outlier analysis. Persistent deviations might necessitate recalibrating or redeveloping the model.
The Third-Party Vendor Dilemma
A common challenge in modern banking is the reliance on third-party and vendor-provided models, data, or parameters. Because vendors often keep their underlying code or methodologies proprietary, banks face unique validation hurdles.
However, the guidance is firm: the use of a vendor does not excuse a bank from model risk management principles. Banks are still required to understand the vendor model's conceptual soundness, monitor its performance, and justify any customizations made to fit the bank's specific needs.
The Bottom Line
The revised guidance underscores that managing model risk is not a purely technical exercise; it requires multidisciplinary engagement, strong governance, and a clear understanding of a model's limitations. By adopting a tailored, materiality-driven approach, banks can foster innovation while protecting themselves against the potential for adverse financial consequences and flawed business decisions.
[i] Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance. Nonetheless, a banking organization’s risk management and governance practices should guide the determination of appropriate governance and controls for any tools, processes, or systems not covered in this document. However, the principles described in this guidance apply to traditional statistical and quantitative models and non-generative, non-agentic AI models.
