OCC Bulletin 2026-13: What the Agencies' Model Risk Management Overhaul Actually Means for Your Program

TL;DR:

• On April 17, 2026, the OCC, Federal Reserve, and FDIC jointly rescinded SR 11-7/OCC 2011-12 — the model risk management gospel since 2011 — and replaced it with OCC Bulletin 2026-13
• The new framework is principles-based, explicitly not enforceable, and primarily targets banks with $30B+ in assets
• Generative AI and agentic AI are completely out of scope — agencies plan a separate AI model risk RFI
• Practitioners need to update model inventories, rewrite governance policies, and drop prescriptive requirements that no longer apply

Fifteen Years of MRM Gospel, Gone

If you’ve been in model risk management at a national bank for more than five minutes, you know SR 11-7. The Federal Reserve’s April 2011 supervisory letter — mirrored by OCC Bulletin 2011-12 — has been the baseline for every model inventory, validation framework, and governance policy at OCC-supervised institutions for fifteen years.

On April 17, 2026, the OCC, the Federal Reserve Board, and the FDIC jointly rescinded it. All of it.

OCC Bulletin 2026-13 and the Fed’s accompanying SR 26-2 are the replacements. Here’s what actually changed, what’s gone, and what this means for the model risk program you’re running right now.

What Prompted the Overhaul

The short answer: the 2011 guidance was written when models meant credit scorecards and interest rate risk calculators. Examiners spent the next decade-plus applying prescriptive 2011-era rules to machine learning systems, generative AI, vendor-embedded models, and cloud-based analytics platforms that didn’t exist when the original letter was drafted.

The tension was real. Banks couldn’t get clear answers on whether a large language model integration counted as a “model” under 2011-12. Validation teams were applying fixed annual review cycles to models that updated in real-time. ABA President Rob Nichols said it plainly after the release: the old guidance “created a great deal of regulatory uncertainty and adversely impacted banks’ ability to innovate.”

The 2026 rewrite is the agencies’ attempt to modernize a framework that had become a compliance constraint rather than a risk management tool.

What Got Rescinded

This is the most immediately operational part for practitioners. The following are gone:

If your internal policies, validation procedures, or governance charters explicitly reference any of these documents — and most do — you have cleanup work to do. Policies that cite OCC Bulletin 2011-12 as authority are now citing rescinded guidance.

The New Framework: Principles-Based and Explicitly Not Enforceable

The biggest structural shift in OCC Bulletin 2026-13 is the enforcement posture. The guidance is crystal clear: “This guidance does not set forth enforceable standards or prescriptive requirements; accordingly, non-compliance with this guidance will not result in supervisory criticism.”

That’s a significant departure from how the 2011 framework was applied in practice. Examiners used SR 11-7 as a compliance checklist. Banks got Matters Requiring Attention and even Matters Requiring Immediate Attention for gaps like missing independent validation documentation or insufficient challenger model testing. The new guidance removes that trigger — at least explicitly.

The backstop remains: unsafe and unsound practices can still generate supervisory action. What’s gone is the prescriptive framework that let examiners cite specific paragraphs of 2011-12 as violations.

The 2026 framework organizes around five principles:

1. Risk-based approach — model risk management should match each institution’s specific risk profile, not a universal standard
2. Sound model development and use — appropriate design, testing, and documentation proportional to model complexity
3. Continuous validation and monitoring — outcomes analysis and conceptual soundness verification, scaled to the model
4. Robust governance — clear policies, defined roles, effective controls
5. Third-party oversight — vendor products require validation, not just trust

What the New Definition of “Model” Means for Your Inventory

The new guidance narrows the definition. A “model” is now “a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates.”

The key word: complex. The guidance explicitly excludes “simple arithmetic calculations (including spreadsheets), deterministic rule-based processes” that lack statistical underpinnings.

For model risk teams, this means:

May be removed from formal model inventory:

• Simple decision trees with fixed cutoffs (no statistical calibration)
• Spreadsheet-based calculations with direct formula logic
• Rule-based systems with no probabilistic components
• Standard amortization and payment calculations

Still firmly in scope:

• Credit scoring models (logistic regression, gradient boosting, neural networks)
• Interest rate risk models (NII, EVE, duration)
• Stress testing and DFAST models
• AML/transaction monitoring models
• Pricing and valuation models
• Customer behavior models (prepayment, churn, LGD)

The practical effect: some banks may shrink their model inventories significantly. But don’t rush the cleanup before you understand how examiners will interpret “complexity” in practice — the first supervisory cycles under this guidance will clarify the edges.

What’s Removed From the Old Prescriptive Requirements

The Orrick analysis identifies the specific prescriptive requirements that are gone under the new framework:

• Fixed validation cycles: No more mandatory annual reviews for all models. Frequency should match the model’s risk profile.
• Structural independence mandates: No prescriptive reporting-line separation for validators. The principle of independence remains, but the rigid org chart requirements don’t.
• Enumerated internal audit tasks: The checklist of specific things audit had to do is gone.
• Annual policy review cycles: No more mandatory annual refreshes of MRM policy.
• VaR backtesting specifications: Detailed backtesting and parallel run requirements for market risk models removed.
• BSA/AML model risk stand-alone statement: Rescinded entirely via the OCC Bulletin 2021-19 withdrawal.

This doesn’t mean you can stop doing these things. It means you’re no longer required to do them on a prescribed schedule regardless of the model’s risk. If you have a high-risk credit scoring model, annual validation still makes sense. If you have a low-risk regulatory reporting model that hasn’t changed in three years, the new framework lets you calibrate.

What About Smaller Banks?

The 2026 guidance formally targets institutions with over $30 billion in total assets as the primary audience. The prior guidance applied to all supervised institutions — making compliance burdens at community banks sometimes disproportionate to their actual model risk exposure.

The new framing acknowledges that smaller institutions still need sound model risk practices, but proportional to their complexity. A $400 million community bank running five credit models and a budgeting spreadsheet doesn’t need the same governance infrastructure as a $500 billion bank running 2,000+ models across trading, credit, AML, and operations.

Community banks with significant model exposure — particularly those running vendor-provided credit models, sophisticated interest rate risk systems, or AML transaction monitoring platforms — should still apply the principles even if they fall below the primary applicability threshold.

The AI Exclusion: A Feature, Not a Bug

Here’s what will get the most attention: generative AI and agentic AI models are explicitly excluded from OCC Bulletin 2026-13.

The agencies wrote: “Generative AI and agentic AI models are novel and rapidly evolving and are not within the scope of this guidance.” A separate request for information addressing AI model risk — covering generative and agentic AI specifically — is coming.

This isn’t the agencies ignoring AI risk. It’s a recognition that applying 2011-era model risk principles to LLMs and autonomous AI agents creates as many problems as it solves. The governance requirements for a logistic regression credit model and a GPT-based customer service agent are fundamentally different.

What this means practically:

If you’re running generative AI in a national bank: You have no regulatory framework yet. That’s both a relief (no enforcement risk from missing 2026-13 compliance) and a gap (you still have risk, and the RFI is coming). The smart move is to build your own AI risk assessment framework now before regulators prescribe one for you.

If you’re dealing with agentic AI — autonomous systems making decisions in multi-step workflows — the gap is even larger. See our breakdown of the agentic AI governance compliance gap for what practitioners should be doing in the absence of formal guidance.

The RFI is coming. The agencies committed to issuing it “in the near future.” When it lands, expect a comment period of 60-90 days. Start building your AI model inventory now so you have data when regulators start asking for it.

What the Third-Party Vendor Focus Means

One addition to the new framework that deserves attention: explicit focus on third-party and vendor product validation.

The 2026 guidance specifically calls out governance of vendor-provided models. This matters because many banks — especially mid-sized and community institutions — run credit scoring models from FICO, transaction monitoring from vendors like NICE Actimize or Featurespace, and AML systems they didn’t build and can’t fully inspect.

The principle is clear: vendor-built doesn’t mean validated. You’re responsible for understanding model limitations, validating fit-for-purpose, and monitoring performance regardless of who built it. If a vendor tells you their model is proprietary and they won’t share documentation, that’s a governance problem you own.

Practitioner Checklist: What to Do in the Next 30/60/90 Days

30 Days: Immediate

• Identify all internal policies, procedures, and governance charters that cite OCC Bulletin 2011-12 or SR 11-7 — these need updates
• Notify model risk leadership and board/risk committee that the regulatory baseline has changed
• Begin model inventory review to identify which tools may no longer meet the “complex quantitative” threshold
• Flag any ongoing validation projects that relied on specific prescriptive requirements now removed

60 Days: Structural

• Revise model governance policy to remove references to rescinded guidance; align to 2026-13 principles
• Update validation standards — move from fixed cycles to risk-based frequency by model tier
• Reassess independence requirements for validation teams; document rationale for current structure
• Review vendor model governance against the third-party oversight principles

90 Days: Strategic

• Complete model inventory rationalization — document the risk basis for scope decisions
• Establish an AI/GenAI model tracking process separate from the formal MRM program (to be ready for the upcoming RFI)
• If >$30B, brief your model risk committee on the shift from prescriptive to principles-based — examiners will ask about your framework
• Monitor for the OCC/Fed/FDIC AI model risk RFI; prepare internal views on current GenAI usage

The Bigger Picture

OCC Bulletin 2026-13 is the agencies acknowledging what practitioners already knew: the 2011 framework had become a compliance exercise divorced from actual risk management. Banks were spending enormous resources validating low-risk tools to a prescriptive standard while struggling to apply any coherent framework to the AI systems generating real risk.

The shift to principles-based oversight gives practitioners more flexibility. It also means more judgment calls — and more work documenting the rationale for those calls. When an examiner asks why you don’t have annual validation cycles for a given model tier, you need a documented risk-based answer.

For the continuous monitoring and drift detection practices that remain critical under any MRM framework, see our guide on continuous AI model monitoring and drift detection. For the foundational MRM approach that was in place under 2011-12 and what to preserve from it, the OCC Bulletin 2011-12 breakdown is worth a read as context for what’s being replaced.

The 2011 era is officially over. The question is whether your model risk program evolves with it.

Sources:

• OCC News Release 2026-29: OCC Issues Updated Model Risk Management Guidance
• OCC Bulletin 2026-13: Model Risk Management — Revised Guidance
• Federal Reserve SR 26-2: Revised Guidance on Model Risk Management
• Orrick: Agencies Overhaul Model Risk Management Guidance for Banks
• ABA Banking Journal: Banking Agencies Issue Revised Risk Management Model Guidance