Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature AI Risk

SR 26-2 for Community and Regional Banks: What the Proportionality Principle Actually Requires

SR 26-2 and OCC 2026-13 replaced SR 11-7 on April 17, 2026 — and the proportionality principle changes what model risk management looks like for banks under $100 billion. Here's what's actually required, what's still expected, and how to calibrate your program.

By Rebecca Leung · July 3, 2026 ·
Table of Contents

TL;DR

  • SR 26-2 / OCC 2026-13, issued April 17, 2026, is the first MRM guidance update in 15 years — and its defining principle for smaller banks is proportionality: validation depth and frequency should match model risk, not a fixed schedule
  • OCC Bulletin 2025-26 (October 2025) explicitly relieved community banks of SR 11-7’s implicitly required annual validation cadence
  • Three validation components remain: conceptual soundness, outcomes analysis, and ongoing monitoring — what changes is the prescriptive methodology underneath them
  • GenAI tools are excluded from SR 26-2 scope — but are still expected to be governed under general safety-and-soundness principles

SR 11-7 ran American model risk management for 15 years. For a $3 billion community bank with 12 models, it prescribed the same framework as a $300 billion regional bank with 3,000. Annual validation. Documented effective challenge. Board-level model risk committee. Independent internal audit review. Enumerated tasks at every level.

On April 17, 2026, the OCC, Federal Reserve, and FDIC replaced it.

SR 26-2 / OCC 2026-13 is principles-based, voluntary, and built around a concept that SR 11-7 only gestured at: proportionality. Your model risk management program should match your actual risk profile — not a regulatory template designed for a G-SIB.

Here’s what that actually means for community and regional banks in practice.


What SR 26-2 Changed — and What Stayed

Before getting into proportionality, it helps to be clear on what the new guidance preserved from 2011.

What carried over:

Three core validation components survived the rewrite: conceptual soundness (does the model’s theory and design make sense?), outcomes analysis (do model outputs track actual results?), and ongoing monitoring (are you catching drift and performance degradation?). The model definition from SR 11-7 — a quantitative method, system, or approach applying statistical, economic, financial, or mathematical theories to process input data into quantitative estimates — also remains.

Model inventory, model risk tiering, and the principle of effective challenge are all retained. So is the requirement that banks be responsible for third-party and vendor models.

What changed:

The prescriptive layer underneath those principles. SR 11-7’s enumerated approaches to VaR backtesting, parallel outcomes analysis, override analysis, and specific board/audit task lists are gone. SR 26-2 describes what needs to happen, not how to do it at a methodological level.

Most significantly for community banks: OCC Bulletin 2025-26, issued in October 2025 before the joint guidance, explicitly stated that institutions would not receive negative supervisory feedback solely on the basis of validation frequency or scope — provided their approach was commensurate with their risk profile and business complexity.

That’s the end of SR 11-7’s implicit annual-validation-for-every-model expectation.


What “Proportionate” Actually Requires

Proportionality isn’t permission to do less. It’s permission to do less for lower-risk models — while doing more for the ones that matter. In practice, it requires four things to work:

A Complete Model Inventory with Risk Tiering

You can’t calibrate validation to risk if you don’t know what models you’re running. The inventory requirement from SR 11-7 didn’t go away — and examiners still look for it as the foundation of any MRM program.

What changes is the tiering approach. SR 26-2 expects your institution to document how you’ve classified each model by risk level, and how that classification drives validation intensity. A Tier 1 model — one that directly informs credit decisions, pricing, or capital adequacy — warrants more rigorous, more frequent validation than a Tier 3 model used for internal management reporting.

There’s no prescribed tier structure in SR 26-2. What examiners want to see is that you have a documented rationale and apply it consistently.

Calibrated Validation Frequency

Under SR 11-7, the effective expectation was annual validation for all models in scope. Under SR 26-2 / OCC 2025-26, the expectation is frequency commensurate with risk. For a community bank:

  • A credit risk scorecard used to underwrite the majority of consumer loans: probably annual, or more frequently if the economic environment shifts
  • A simple IRR model used for internal interest rate risk management: two or three-year cycle may be defensible with interim monitoring
  • A vendor-provided AML transaction monitoring system classified as high risk: annual at minimum, with additional monitoring tied to vendor model updates

Document the logic. “We validate this model every 18 months because it has a stable track record and limited material change in the underlying portfolio” is the kind of documented judgment SR 26-2 is designed to accommodate. “We validated it three years ago and haven’t gotten around to it” is not.

Effective Challenge That Fits Your Organization

Effective challenge requires independence from the model development function and demonstrable expertise. For a community bank without a dedicated model risk team, that creates a real operational question.

SR 26-2 doesn’t resolve this by lowering the bar — it just doesn’t prescribe the org structure. What examiners want to see for a smaller institution:

  • A person (or team) who did not build or own the model conducting the review
  • Documented expertise — either through credentials, experience, or external support
  • A written challenge of the key modeling assumptions, not just a sign-off

For complex, high-risk models — a credit risk scorecard, an ALCO model — a qualified external validator engaged on a risk-commensurate schedule is the most defensible approach for institutions that can’t maintain deep internal validation capacity.

Governance Without Enumerated Tasks

SR 11-7 came with specific task lists for boards, model owners, and internal audit. SR 26-2 retains clear roles and accountability — boards set risk appetite, management owns model risk day-to-day, internal audit provides independent assurance — without prescribing exactly how those responsibilities are discharged.

For a community bank, this means your model risk policy needs to define who does what, your board needs to see meaningful reporting on model risk, and audit needs to maintain independence. But the format of that reporting and the content of that audit program can be calibrated to your institution’s size.


The Models Examiners Actually Focus On

Proportionality means some models get more attention than others. Regardless of institution size, examiner scrutiny concentrates on these:

Model TypeWhy It Gets Attention
Credit risk scorecardsDirectly tied to fair lending and capital adequacy
CECL / allowance modelsRegulatory capital implications, audit scrutiny
AML/fraud transaction monitoringCompliance obligation; gaps create BSA/AML risk
Interest rate risk (ALCO)Supervisory focus on asset-liability management
Pricing models (loan, deposit)Consumer harm potential, fair lending implications

The shadow AI inventory problem applies here too — if your institution is using models or AI tools you haven’t formally catalogued, the gap will surface in an examination before your governance program does.


The Vendor Model Question

SR 26-2 keeps the SR 11-7 position on vendor models: banks are responsible for validating third-party models, not just relying on vendor-provided documentation.

This is operationally significant for community banks, which often run core credit, AML, and interest rate risk models through vendors. The common misconception — that a vendor’s SOC 2 report, model validation documentation, or “validated by [firm]” claim satisfies SR 26-2 — doesn’t hold up in examination.

What’s acceptable: using vendor validation documentation as input to your own assessment, combined with your own testing of model outputs in your specific use context and portfolio.

What’s not acceptable: substituting vendor documentation for your own review with no independent assessment of whether the model performs as expected on your data.

For purchased models, the proportionate approach is to obtain the vendor’s validation documentation, conduct outcome testing in your environment, document any limitations, and establish monitoring for ongoing performance tracking.

The AI model inventory and governance processes that regulators tested in 2025 examinations apply directly to vendor model governance under SR 26-2. If you can’t produce a vendor model inventory showing last validation date and who conducted the review, that’s the gap examiners will find.


What GenAI Tools Need — Even Outside SR 26-2 Scope

The April 2026 guidance explicitly excluded generative AI and agentic AI from scope. That exclusion doesn’t mean your GenAI tools are ungoverned — the agencies were clear that “existing risk management and governance practices” still apply.

For community and regional banks deploying GenAI tools — loan modification letter generators, customer service chatbots, document summarization tools — what examiners will look for:

  • A documented owner for each tool in production
  • Some form of pre-deployment review before the tool touched customers
  • Post-deployment monitoring appropriate to the use case’s risk
  • Third-party vendor risk assessment for AI tool providers

The SR 26-2 GenAI governance gap covers how those existing expectations apply to your AI governance program while the AI-specific regulatory framework is still being finalized.


So What? A 60-Day Action Plan for Community and Regional Banks

Days 1–20: Inventory and tiering Pull your current model inventory. If it doesn’t exist in documented form, start building it now — that gap will be the first finding in any examination. For each model: document the use case, risk tier, last validation date, and next scheduled validation. Flag any models past due under your own stated policy.

Days 21–40: Calibrate your validation schedule For each Tier 1 model: is validation scheduled within the next 12 months? Is the scope documented? For Tier 2 and Tier 3 models: is there a documented rationale for the reduced frequency? Examiners want to see the judgment, not just the outcome.

Days 41–60: Governance documentation Update your model risk policy to reflect the SR 26-2 framework — proportionality language, validation components, effective challenge requirements. Make sure board reporting on model risk exists and is meaningful. Confirm internal audit has documented its model risk oversight role.

The AI Risk Assessment Template & Guide covers model inventory structure, risk tiering frameworks, pre-deployment review checklists, and governance documentation for institutions building or refreshing their MRM program under the new guidance.

Proportionality is not a gift — it’s a judgment call that has to be documented. The question SR 26-2 puts to every institution isn’t “how little can we do?” It’s “can you show me that what you did was commensurate with your risk?” That’s a harder question to answer than a checklist, which is why the documentation work matters now, before the next examination cycle.

The AI model inventory framework for tracking governance drift between validation cycles applies here too — a model inventory that isn’t maintained between validation events doesn’t satisfy the ongoing monitoring component SR 26-2 retained from SR 11-7.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Does SR 26-2 apply to community banks?
Yes — SR 26-2 / OCC 2026-13, issued April 17, 2026, applies across institution sizes. However, OCC Bulletin 2025-26 (October 2025) provides that community banks will not receive negative supervisory feedback solely for the frequency or scope of model validation, provided their approach is commensurate with their risk exposures and business complexity.
Is annual model validation still required under SR 26-2?
No. SR 26-2 eliminated the effectively binding annual validation requirement from SR 11-7. The new framework is proportionality-based: validation frequency and depth should be calibrated to the model's risk, complexity, and materiality — not a fixed schedule.
What is the model definition under SR 26-2?
SR 26-2 retains the SR 11-7 definition: a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates. Judgment-based tools and simple lookup tables remain outside scope.
What does 'effective challenge' mean for a smaller bank?
Effective challenge requires that model validation be conducted by personnel who are independent from model development and have the requisite expertise. For community banks, this does not require a dedicated internal validation team — but it does require demonstrable independence and documented expertise, which often means a qualified external validator for complex or high-risk models.
Do vendor and third-party models require validation under SR 26-2?
Yes. SR 26-2 retains the SR 11-7 position that banks are responsible for validating models provided by vendors. You can use vendor-provided validation documentation as a starting point, but cannot substitute it for your own assessment. At minimum, examiners expect validation that the model performs as described in your specific use context.
What will examiners look for in a proportionate MRM program for a $5–15 billion bank?
Examiners will look for: a complete model inventory with documented risk tiering, validation completed for Tier 1 (high-risk) models, documented rationale for lower-intensity validation of simpler models, effective challenge demonstrated through independence, and board/senior management oversight that is clear without being prescriptive.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

AI Risk Assessment Template & Guide

Comprehensive AI model governance and risk assessment templates for financial services teams.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.