Feature AI Risk
SR 26-2 for Community and Regional Banks: What the Proportionality Principle Actually Requires
SR 26-2 and OCC 2026-13 replaced SR 11-7 on April 17, 2026 — and the proportionality principle changes what model risk management looks like for banks under $100 billion. Here's what's actually required, what's still expected, and how to calibrate your program.
Table of Contents
TL;DR
- SR 26-2 / OCC 2026-13, issued April 17, 2026, is the first MRM guidance update in 15 years — and its defining principle for smaller banks is proportionality: validation depth and frequency should match model risk, not a fixed schedule
- OCC Bulletin 2025-26 (October 2025) explicitly relieved community banks of SR 11-7’s implicitly required annual validation cadence
- Three validation components remain: conceptual soundness, outcomes analysis, and ongoing monitoring — what changes is the prescriptive methodology underneath them
- GenAI tools are excluded from SR 26-2 scope — but are still expected to be governed under general safety-and-soundness principles
SR 11-7 ran American model risk management for 15 years. For a $3 billion community bank with 12 models, it prescribed the same framework as a $300 billion regional bank with 3,000. Annual validation. Documented effective challenge. Board-level model risk committee. Independent internal audit review. Enumerated tasks at every level.
On April 17, 2026, the OCC, Federal Reserve, and FDIC replaced it.
SR 26-2 / OCC 2026-13 is principles-based, voluntary, and built around a concept that SR 11-7 only gestured at: proportionality. Your model risk management program should match your actual risk profile — not a regulatory template designed for a G-SIB.
Here’s what that actually means for community and regional banks in practice.
What SR 26-2 Changed — and What Stayed
Before getting into proportionality, it helps to be clear on what the new guidance preserved from 2011.
What carried over:
Three core validation components survived the rewrite: conceptual soundness (does the model’s theory and design make sense?), outcomes analysis (do model outputs track actual results?), and ongoing monitoring (are you catching drift and performance degradation?). The model definition from SR 11-7 — a quantitative method, system, or approach applying statistical, economic, financial, or mathematical theories to process input data into quantitative estimates — also remains.
Model inventory, model risk tiering, and the principle of effective challenge are all retained. So is the requirement that banks be responsible for third-party and vendor models.
What changed:
The prescriptive layer underneath those principles. SR 11-7’s enumerated approaches to VaR backtesting, parallel outcomes analysis, override analysis, and specific board/audit task lists are gone. SR 26-2 describes what needs to happen, not how to do it at a methodological level.
Most significantly for community banks: OCC Bulletin 2025-26, issued in October 2025 before the joint guidance, explicitly stated that institutions would not receive negative supervisory feedback solely on the basis of validation frequency or scope — provided their approach was commensurate with their risk profile and business complexity.
That’s the end of SR 11-7’s implicit annual-validation-for-every-model expectation.
What “Proportionate” Actually Requires
Proportionality isn’t permission to do less. It’s permission to do less for lower-risk models — while doing more for the ones that matter. In practice, it requires four things to work:
A Complete Model Inventory with Risk Tiering
You can’t calibrate validation to risk if you don’t know what models you’re running. The inventory requirement from SR 11-7 didn’t go away — and examiners still look for it as the foundation of any MRM program.
What changes is the tiering approach. SR 26-2 expects your institution to document how you’ve classified each model by risk level, and how that classification drives validation intensity. A Tier 1 model — one that directly informs credit decisions, pricing, or capital adequacy — warrants more rigorous, more frequent validation than a Tier 3 model used for internal management reporting.
There’s no prescribed tier structure in SR 26-2. What examiners want to see is that you have a documented rationale and apply it consistently.
Calibrated Validation Frequency
Under SR 11-7, the effective expectation was annual validation for all models in scope. Under SR 26-2 / OCC 2025-26, the expectation is frequency commensurate with risk. For a community bank:
- A credit risk scorecard used to underwrite the majority of consumer loans: probably annual, or more frequently if the economic environment shifts
- A simple IRR model used for internal interest rate risk management: two or three-year cycle may be defensible with interim monitoring
- A vendor-provided AML transaction monitoring system classified as high risk: annual at minimum, with additional monitoring tied to vendor model updates
Document the logic. “We validate this model every 18 months because it has a stable track record and limited material change in the underlying portfolio” is the kind of documented judgment SR 26-2 is designed to accommodate. “We validated it three years ago and haven’t gotten around to it” is not.
Effective Challenge That Fits Your Organization
Effective challenge requires independence from the model development function and demonstrable expertise. For a community bank without a dedicated model risk team, that creates a real operational question.
SR 26-2 doesn’t resolve this by lowering the bar — it just doesn’t prescribe the org structure. What examiners want to see for a smaller institution:
- A person (or team) who did not build or own the model conducting the review
- Documented expertise — either through credentials, experience, or external support
- A written challenge of the key modeling assumptions, not just a sign-off
For complex, high-risk models — a credit risk scorecard, an ALCO model — a qualified external validator engaged on a risk-commensurate schedule is the most defensible approach for institutions that can’t maintain deep internal validation capacity.
Governance Without Enumerated Tasks
SR 11-7 came with specific task lists for boards, model owners, and internal audit. SR 26-2 retains clear roles and accountability — boards set risk appetite, management owns model risk day-to-day, internal audit provides independent assurance — without prescribing exactly how those responsibilities are discharged.
For a community bank, this means your model risk policy needs to define who does what, your board needs to see meaningful reporting on model risk, and audit needs to maintain independence. But the format of that reporting and the content of that audit program can be calibrated to your institution’s size.
The Models Examiners Actually Focus On
Proportionality means some models get more attention than others. Regardless of institution size, examiner scrutiny concentrates on these:
| Model Type | Why It Gets Attention |
|---|---|
| Credit risk scorecards | Directly tied to fair lending and capital adequacy |
| CECL / allowance models | Regulatory capital implications, audit scrutiny |
| AML/fraud transaction monitoring | Compliance obligation; gaps create BSA/AML risk |
| Interest rate risk (ALCO) | Supervisory focus on asset-liability management |
| Pricing models (loan, deposit) | Consumer harm potential, fair lending implications |
The shadow AI inventory problem applies here too — if your institution is using models or AI tools you haven’t formally catalogued, the gap will surface in an examination before your governance program does.
The Vendor Model Question
SR 26-2 keeps the SR 11-7 position on vendor models: banks are responsible for validating third-party models, not just relying on vendor-provided documentation.
This is operationally significant for community banks, which often run core credit, AML, and interest rate risk models through vendors. The common misconception — that a vendor’s SOC 2 report, model validation documentation, or “validated by [firm]” claim satisfies SR 26-2 — doesn’t hold up in examination.
What’s acceptable: using vendor validation documentation as input to your own assessment, combined with your own testing of model outputs in your specific use context and portfolio.
What’s not acceptable: substituting vendor documentation for your own review with no independent assessment of whether the model performs as expected on your data.
For purchased models, the proportionate approach is to obtain the vendor’s validation documentation, conduct outcome testing in your environment, document any limitations, and establish monitoring for ongoing performance tracking.
The AI model inventory and governance processes that regulators tested in 2025 examinations apply directly to vendor model governance under SR 26-2. If you can’t produce a vendor model inventory showing last validation date and who conducted the review, that’s the gap examiners will find.
What GenAI Tools Need — Even Outside SR 26-2 Scope
The April 2026 guidance explicitly excluded generative AI and agentic AI from scope. That exclusion doesn’t mean your GenAI tools are ungoverned — the agencies were clear that “existing risk management and governance practices” still apply.
For community and regional banks deploying GenAI tools — loan modification letter generators, customer service chatbots, document summarization tools — what examiners will look for:
- A documented owner for each tool in production
- Some form of pre-deployment review before the tool touched customers
- Post-deployment monitoring appropriate to the use case’s risk
- Third-party vendor risk assessment for AI tool providers
The SR 26-2 GenAI governance gap covers how those existing expectations apply to your AI governance program while the AI-specific regulatory framework is still being finalized.
So What? A 60-Day Action Plan for Community and Regional Banks
Days 1–20: Inventory and tiering Pull your current model inventory. If it doesn’t exist in documented form, start building it now — that gap will be the first finding in any examination. For each model: document the use case, risk tier, last validation date, and next scheduled validation. Flag any models past due under your own stated policy.
Days 21–40: Calibrate your validation schedule For each Tier 1 model: is validation scheduled within the next 12 months? Is the scope documented? For Tier 2 and Tier 3 models: is there a documented rationale for the reduced frequency? Examiners want to see the judgment, not just the outcome.
Days 41–60: Governance documentation Update your model risk policy to reflect the SR 26-2 framework — proportionality language, validation components, effective challenge requirements. Make sure board reporting on model risk exists and is meaningful. Confirm internal audit has documented its model risk oversight role.
The AI Risk Assessment Template & Guide covers model inventory structure, risk tiering frameworks, pre-deployment review checklists, and governance documentation for institutions building or refreshing their MRM program under the new guidance.
Proportionality is not a gift — it’s a judgment call that has to be documented. The question SR 26-2 puts to every institution isn’t “how little can we do?” It’s “can you show me that what you did was commensurate with your risk?” That’s a harder question to answer than a checklist, which is why the documentation work matters now, before the next examination cycle.
The AI model inventory framework for tracking governance drift between validation cycles applies here too — a model inventory that isn’t maintained between validation events doesn’t satisfy the ongoing monitoring component SR 26-2 retained from SR 11-7.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
AI Risk Assessment Template & Guide
Comprehensive AI model governance and risk assessment templates for financial services teams.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
Does SR 26-2 apply to community banks?
Is annual model validation still required under SR 26-2?
What is the model definition under SR 26-2?
What does 'effective challenge' mean for a smaller bank?
Do vendor and third-party models require validation under SR 26-2?
What will examiners look for in a proportionate MRM program for a $5–15 billion bank?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
AI Risk Assessment Template & Guide
Comprehensive AI model governance and risk assessment templates for financial services teams.
◆ Keep reading
Related posts.
AI Risk
Agentic AI in Financial Services 2026: The Governance Framework Your Board Doesn't Know It Needs
SR 26-2 carved agentic AI out of model risk scope in April 2026. That didn't make the risk disappear — it moved the governance burden entirely onto you. Here's what a functional agentic AI governance framework looks like and why you need one before your next exam.
Jul 6, 2026
AI Risk
SR 26-2 and OCC 2026-13: What the New Model Risk Management Guidance Changes — and the GenAI Gap Your Program Needs to Close
The interagency guidance that replaced SR 11-7 on April 17, 2026 is voluntary and principles-based — and it explicitly excludes generative AI and agentic AI from scope. Here's what changed, what examiners will still test, and the gap your AI governance program needs to close before the AI-specific RFI lands.
Jul 2, 2026
AI Risk
EU AI Act August 2, 2026: Your 32-Day Compliance Checklist — What's Still Required After the Omnibus Deferral
The Digital Omnibus pushed Annex III high-risk AI to December 2027 — but August 2, 2026 still brings Article 50 transparency requirements and full GPAI enforcement powers. Here's your verified 32-day checklist.
Jun 30, 2026