The landscape of banking and financial services is constantly evolving, driven by rapid technological advancements and a push for greater efficiency and risk mitigation. To address these shifts, the OCC, the Board of Governors of the Federal Reserve System, and the FDIC have issued a revised guidance document on "Principles for Effective Model Risk Management".
Whether you are a risk manager, a compliance officer, or a banking executive, understanding the nuances of this revised framework is critical. Here is a breakdown of what the guidance entails, who it applies to, and how it addresses modern modeling challenges.
While the agencies explicitly label this as "revised" guidance, the document itself focuses on clarifying principles rather than providing a redline of changes from past iterations. The revisions were prompted by supervisory experience, industry feedback, and—crucially—technological advancements in modeling over recent years.
The most glaring modern update is the explicit exclusion of Generative AI and agentic AI models[i]. The guidance notes that these novel and rapidly evolving technologies fall completely outside the scope of this document, though traditional statistical, quantitative, and non-generative AI models remain covered.
Similarly, the guidance adopts a highly tailored, risk-based approach. It explicitly states that this guidance is most relevant to banking organizations with over $30 billion in total assets, implicitly acknowledging that smaller institutions typically have internal practices already scaled to their size.
Not every calculation requires a massive governance structure. Under the revised guidance, a "model" is strictly defined as a complex quantitative method, system, or approach that uses statistical, economic, or financial theories to process input data into quantitative estimates.
A major theme of the guidance is that not all models present the same level of risk. The rigor of your model risk management must be commensurate with a model's materiality, which is determined by two factors:
If a bank deems a model "immaterial," it may simply monitor its performance rather than conducting a full, rigorous validation. However, highly material models demand comprehensive oversight.
When validation is required, it generally must occur before a model is first used, unless an urgent business need forces a temporary exception with strict controls. The guidance outlines several key components of a robust validation process:
A common challenge in modern banking is the reliance on third-party and vendor-provided models, data, or parameters. Because vendors often keep their underlying code or methodologies proprietary, banks face unique validation hurdles.
However, the guidance is firm: the use of a vendor does not excuse a bank from model risk management principles. Banks are still required to understand the vendor model's conceptual soundness, monitor its performance, and justify any customizations made to fit the bank's specific needs.
The revised guidance underscores that managing model risk is not a purely technical exercise; it requires multidisciplinary engagement, strong governance, and a clear understanding of a model's limitations. By adopting a tailored, materiality-driven approach, banks can foster innovation while protecting themselves against the potential for adverse financial consequences and flawed business decisions.
[i] Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance. Nonetheless, a banking organization’s risk management and governance practices should guide the determination of appropriate governance and controls for any tools, processes, or systems not covered in this document. However, the principles described in this guidance apply to traditional statistical and quantitative models and non-generative, non-agentic AI models.