SR 11-7 to SR 26-02: What Changed and What Community Banks Must Do

On April 17, 2026, the OCC, Federal Reserve, and FDIC jointly issued SR 26-02, the new supervisory guidance on model risk management. It replaces SR 11-7 after a fifteen-year run. If your model risk program was built on SR 11-7, the good news is that the foundation still stands. It's just that the walls and the doors are different.

The headline for a community bank: this is closer to relief than to burden. The agencies have moved from a prescriptive posture to a principles-based one, raised the heaviest expectations to banks above $30 billion in assets, and explicitly carved out generative and agentic AI from the scope. The catch is that "principles-based" means examiners will judge your program against the spirit of the guidance, not a checklist. That requires a sharper internal story than SR 11-7 ever did.

Here is what changed, what it means for a community bank under $10 billion, and the next ninety-day moves to make right now.

The basics in sixty seconds

• Effective: April 17, 2026
• Issued by: OCC, Federal Reserve, FDIC (jointly)
• Supersedes: SR 11-7 (April 2011) and SR 21-8 (the 2021 interagency statement on BSA/AML model risk), plus several OCC bulletins and handbook sections
• Primary applicability: "most relevant to banking organizations with over $30 billion in total assets," with continued application to smaller institutions where model risk is material
• Enforceability posture: The guidance "does not set forth enforceable standards," and the agencies have stated that "non-compliance with this guidance will not result in supervisory criticism" on its own

The previous $1 billion FDIC threshold from the 2017 adoption of SR 11-7 is gone. The new $30 billion line is significant for the vast majority of community banks and credit unions, but it does not mean SR 26-02 is irrelevant below the threshold. Examiners will continue to expect institutions with material models to have programs that are reasonably supported, especially around CECL, ALLL, and AI-influenced lending decisions.

The six pillars: what carries forward

The conceptual soundness, ongoing monitoring, and outcomes analysis framework introduced by SR 11-7 survives. So does effective challenge as the organizing principle. So does the central question every examiner will still ask: can you defend how this model is used, and how do you know it is still fit for purpose?

If your existing program is built around those three pillars and around the idea that documentation must travel with the model, the new guidance will not require a teardown. The vocabulary changes in places, but the intent of the framework does not.

The five fundamental shifts

1. A real materiality framework, not an implied one

SR 11-7 acknowledged that model risk management should scale with model complexity and use. In practice, many institutions applied roughly uniform rigor across their model inventory because the guidance never told them how to differentiate.

SR 26-02 makes the materiality framework explicit. Materiality is now defined as a function of model purpose (regulatory versus risk management functions) and model exposure (significance to business decisions). A small, low-exposure model can be governed with automated performance monitoring and standardized controls. A high-materiality model still requires the full validation, independent challenge, and ongoing oversight you would expect.

This is the single most consequential change for a lean community bank. You are now permitted, with clear documentation, to run a tiered governance program. Treat materiality classifications as a policy decision, document the rationale, and apply the matching depth of validation.

2. A narrower definition of "model"

The new guidance restricts the definition of a model to quantitative methods that are complex and grounded in statistical, economic, or financial theory. The explicitly excluded are "simple arithmetic calculations, such as those found within spreadsheets," and deterministic rule-based processes without a statistical or economic foundation.

In practice, this means your model inventory should be smaller after a careful re-read of the definition. Calculators that simply apply known formulas, deterministic rules, and look-up tables can come off the model inventory and onto whatever lighter operational controls list your bank already maintains. Document the reason for the reclassification. Do not move anything that genuinely meets the new definition.

3. Principles-based governance, not prescription

SR 11-7 left a strong impression that annual model validation was a baseline expectation. Many examiners enforced it as a near-rule even where the guidance was less direct. SR 26-02 removes the implied annual cadence. It removes the specific board approval procedures that some institutions over-engineered to satisfy. It removes detailed independence mechanisms in favor of "clear roles and responsibilities with well-defined accountability."

This sounds like flexibility because it is. It also raises the bar on the written policy. Examiners now expect your model risk management policy to articulate, in your own words, when and why each type of model is validated, by whom, and what triggers a refresh outside the regular cycle. Your policy is the standard you will be judged against. Make it specific.

4. Greater weight on ongoing monitoring

The phrase used in industry analysis of the new guidance is "outcomes-based monitoring." SR 26-02 emphasizes the detection of drift, degradation, and changed conditions through real-world performance analysis, not just point-in-time validation events.

For a community bank, the practical translation is two-fold. First, your CECL model needs a defined monitoring cadence with explicit triggers for re-validation, and the monitoring must be performed and documented in a way that an examiner can trace. Second, any AI-influenced model used in credit, fraud, or fair lending requires the same monitoring discipline as a traditional statistical model, even though AI models are partially carved out of scope (see below). The carve-out applies to the model's classification, not to the underlying obligation to manage risk well.

5. Generative AI and agentic AI are explicitly out of scope

This is the part that surprises people. SR 26-02 explicitly excludes generative AI and agentic AI from its scope, describing them as "novel and rapidly evolving." The agencies have signaled a future request for information specifically on AI use. Until then, these technologies are subject to general banking organization risk management and governance practices, not to SR 26-02's model risk framework.

The exclusion is narrower than it sounds. A traditional supervised machine learning model used in credit decisioning is still a model under SR 26-02. A retrieval-augmented chatbot used for customer service is not. The grey area in between, including AI tools that influence underwriting decisions or generate disclosures, is where examiner judgment will fill the gap. Document what your bank uses, how it is used, and what controls you have applied. Do not assume the carve-out exempts you from fair lending, UDAAP, or third-party risk obligations.

While we have not yet experienced clients going through a model re-tiering exercise, next year's exams can have questions around justifying any model downgrades or upgrades and the rationale around it.

The third-party model question

Vendor models received lighter explicit requirements under SR 26-02. The sound practice now is described as "developing an understanding of the model" combined with ongoing monitoring. The earlier expectation of contingency planning for third-party model failures is no longer explicit.

RegVizion advises not to read this as permission to relax. Most community banks rely on vendor models for CECL, BSA/AML, fraud, and parts of credit decisioning. Examiners will still probe what you actually know about the vendor's methodology and what you do when performance drifts. The new wording gives you flexibility to scale the depth of your vendor due diligence to the model's materiality. It does not exempt you from the broader third-party risk management expectations that apply to any critical vendor relationship.

What this means for a community bank under $30 billion

Three things, in order of importance.

First, SR 26-02 gives you the license to right-size. The materiality framework was the missing piece in SR 11-7. You can now codify a tiered governance approach without feeling like you are cutting corners. Document the policy. Apply it. Defend it in the exam.

Second, the AI carve-out is not a free pass. The agencies will return to AI with separate guidance. State activity (Colorado, New York, California) is filling the gap in parallel. Anything your institution does that touches AI in credit decisions, marketing targeting, or customer-facing copy needs a documented governance approach now, not when the next guidance lands.

Third, your model risk management policy is now your primary regulatory artifact. Under SR 11-7, examiners often started with whether you met the implicit expectations. Under SR 26-02, examiners start by reading your policy and judging whether you followed it. If your policy is stock language pulled from a vendor template, this is the moment to rewrite it in your own words, anchored to your model inventory, materiality classifications, and monitoring cadence.

A ninety-day checklist

Concrete moves to make between now and August 2026:

• Re-read your model risk management policy and rewrite the sections on validation cadence, board reporting, and independence to reflect SR 26-02 language and your own institution's reality.
• Define your materiality framework in writing. Document the two-factor scoring (purpose and exposure), the resulting tiers, and the governance treatment for each tier.
• Re-inventory your models under the new "complex quantitative methods" definition. Identify anything that should come off the inventory. Document the rationale.
• Map your existing AI usage across credit, fraud, customer service, and marketing. Note which uses are model-based (in scope), which involve generative or agentic AI (out of scope under SR 26-02 but subject to general risk management), and which sit in the grey area.
• Stand up an ongoing monitoring schedule for your top three material models (typically CECL, BSA/AML, and any credit scoring model in active use). Define triggers for unscheduled re-validation.
• Refresh your vendor model due diligence for each material vendor model. Confirm what you know about the methodology, what monitoring you receive, and what you do when performance drifts.
• Brief your board in the next regular meeting. The change in supervisory posture is material to their risk oversight responsibilities.
• Pressure-test the new policy by walking an internal examiner-style review of one model end-to-end. Where you cannot defend a decision, fix the gap before the real exam.

What to watch over the next twelve months

Two threads run in parallel. The first is the forthcoming agency RFI on AI use. Expect targeted questions on generative AI, agentic systems, third-party AI tools, and how institutions classify and govern them. Submit comments where your experience is relevant. The second is state-level activity. Colorado's AI Act is the most developed, with significant implications for institutions doing business with Colorado consumers regardless of charter or asset size. New York and California are advancing their own frameworks.

A community bank with a clean SR 26-02 program and a documented AI governance policy will be well-positioned for both threads. The institutions that wait for the next federal letter will be playing catch-up against state requirements and against banks that moved sooner.

A note on what we wrote before

Earlier RegVizion content on model risk management reflects the SR 11-7 framework that was in effect at the time. The core pillars discussed in those pieces (conceptual soundness, monitoring, outcomes analysis) carry forward. The application has shifted in the ways described above. We have added a banner to those pieces pointing readers here for the current view.

How RegVizion helps

We work with community banks and credit unions under $10 billion on the SR 26-02 transition. That includes model risk management policy rewrites, materiality framework design, model inventory re-scoping, validation tiered to actual model risk, and ongoing monitoring program design. Our model risk management practice and AI governance practice cover the full sweep, and we deliver with senior practitioners only.

Want a second opinion on your SR 26-02 transition plan? Email Dushyant directly at dushyant@regvizion.com or send a note through our contact form. First call is free.

---

Dushyant Sengar is Co-Founder and Partner at RegVizion LLC, where he leads the Model Risk Management and AI Governance practice. He has guided community banks, credit unions, and fintechs through SR 11-7 validation programs and is now helping clients transition to SR 26-02.

Related reading: 2026 Model Risk Management Trends · CECL Validation Checklist · Federal Stance on AI in Credit Decisions

Authoritative references: SR 26-02 Federal Reserve letter · Revised Guidance attachment (PDF)