On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued SR 26-2: Revised Guidance on Model Risk Management. The letter supersedes two long-standing pieces of guidance: SR 11-7 (2011), which has governed model risk management for fifteen years, and SR 21-8 (2021), the interagency statement on model risk management for BSA/AML systems.
The revised guidance is most relevant to banking organizations with more than $30 billion in total assets regulated by the Federal Reserve, but the principles it sets will shape examiner expectations across the industry, including for fintechs and crypto firms operating through bank partnerships.
Here is what compliance teams need to know.
What SR 26-2 changes at a high level
The agencies describe SR 26-2 as reflecting fifteen years of supervisory experience, industry feedback, and significant advancements in modeling practices. According to the SR letter, three points stand out:
- It consolidates MRM and BSA/AML model guidance. SR 21-8, which extended SR 11-7 principles into BSA/AML systems, is now folded into a single framework. Compliance and BSA teams should expect alignment between enterprise model risk and AML model risk programs.
- It emphasizes a risk-based approach. The agencies explicitly state that model risk management practices should be tailored to a banking organization’s model risk profile and the size and complexity of its operations. This formalizes what examiners have been saying in practice for years.
- It restates sound principles for effective MRM. The core pillars of SR 11-7 (development, validation, governance) carry forward, but with updated framing that recognizes how modeling practices have evolved.
The attached Revised Guidance on Model Risk Management contains the operative detail. Compliance teams should pull it, compare it side by side with SR 11-7 and SR 21-8, and identify gaps in their current program.
What this means for compliance teams now
SR 26-2 is not a clean break from SR 11-7. The pillars are familiar, but the expectations are sharper, more risk-tailored, and now unified with BSA/AML model oversight. Here are a few practical implications:
Your model risk policy needs to be reissued
Any model risk policy that cites SR 11-7 and SR 21-8 as the governing framework is now out of date. The fix is mechanical, but the review is not. Reissuing the policy is the right moment to confirm that:
- Scope language reflects the risk-based approach
- Roles and responsibilities are aligned with current modeling activity
- BSA/AML models are governed under the same framework as enterprise models, not a parallel track
- AI and machine learning models are explicitly in scope
Your model inventory needs to be re-tiered
A risk-based approach is only as useful as the tiering that drives it. If your inventory still uses a generic high/medium/low rubric inherited from a 2015 policy, it will not hold up under SR 26-2. Tiering should reflect model complexity, materiality, consumer impact, opacity, and data dependency.
Validation methodology should be revisited
The revised guidance recognizes that modeling practices have advanced significantly. Validation programs designed for traditional statistical models often fall short for machine learning, large language models, and agentic AI systems. Use the SR 26-2 re-issuance as the trigger to update validation playbooks for the models you actually have in production today.
BSA/AML model governance is no longer a separate workstream
Under SR 21-8, many banks ran AML model validation as a distinct program, often led by financial crimes rather than enterprise model risk. SR 26-2 collapses that distinction. Compliance officers should expect examiners to look for a unified model risk governance structure that covers transaction monitoring, sanctions screening, and customer risk rating models with the same rigor as credit and capital models.
Board reporting needs to reflect the change
Boards and senior management should be briefed on what SR 26-2 changes and what it does not. Aggregate model risk reporting should be updated to reflect the consolidated framework and the risk-based tiering that now drives it.
How SR 26-2 connects to AI model governance
SR 11-7 was written in 2011, before machine learning entered mainstream banking and well before large language models existed. Examiners have spent the last several years extending its principles to AI by analogy. SR 26-2’s emphasis on risk-based tailoring and its acknowledgment of advancements in modeling practices give compliance teams a more defensible foundation for AI model governance, but it does not replace the work of building AI-specific controls.
For context on where AI-specific examiner expectations are heading, see our companion analysis: SR 11-7 and AI: What compliance teams need to know. The AI-specific gaps it describes (opacity, drift, emergent behavior, data dependency, fairness) are not solved by SR 26-2. They are the work that the revised guidance now expects compliance teams to address as part of a risk-based program.
What to do in the next 90 days
For banking organizations over $30 billion, SR 26-2 applies directly. For smaller banks, fintechs, and crypto firms operating through sponsor banks, the practical pressure will arrive through partner expectations and exam scope. Either way, a 90-day plan is reasonable:
- Read the Revised Guidance attached to SR 26-2 alongside SR 11-7 and SR 21-8. Build a redline of substantive changes.
- Update governance documents. Reissue the model risk policy and any subsidiary procedures that reference the superseded SRs.
- Refresh the model inventory and tiering. Confirm AI, machine learning, and BSA/AML models are captured and risk-tiered consistently.
- Validate the validation program. Identify where current validation methodology will hold up under the revised guidance and where it will not.
- Brief the board. Provide a short, plain-language summary of what changed and what the program is doing in response.
The bottom line
SR 26-2 is the most significant update to model risk management guidance in fifteen years. It carries forward the principles that compliance teams already know, consolidates BSA/AML model oversight into the same framework, and formalizes a risk-based approach that examiners have been signaling for years. The institutions that move first to update policies, refresh inventories, and align validation with current modeling practices will be the ones best positioned when examiners arrive with the new guidance in hand.
Need help mapping your model risk program against SR 26-2? Schedule an intro call with our team.

