On April 17, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Federal Reserve), and Federal Deposit Insurance Corporation (FDIC) (collectively, the federal agencies) issued revised interagency guidance on model risk management. The guidance updates and consolidates supervisory expectations for how banks manage the growing use of models across their businesses and effectively manage those risks, while rescinding prior guidance issued by each agency. The updated guidance is principles-based and risk-based, rather than prescriptive, and the federal banking agencies emphasize that model risk management should be tailored to a bank’s model risk profile, as well as the size and complexity of its operations. The agencies further state that non-compliance with the guidance itself will not, standing alone, result in supervisory criticism. That said, weak model risk management can still lead to findings of unsafe or unsound practices or violations of law.

Importantly, the guidance applies to traditional statistical and quantitative models, and generative AI and agentic AI models are not within scope. Nonetheless, the federal banking agencies note that a bank’s “risk management and governance practices should guide the determination of appropriate governance and controls for any tools, processes, or systems not covered…”

Scope, Definitions, and Risk-Based Focus

The guidance is aimed primarily at banking organizations with more than $30 billion in total assets, although smaller institutions that make heavy or complex use of models may also find it relevant. A “model” is defined as a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to transform input data into quantitative estimates. “Model risk” is the risk of adverse financial consequences from decisions based on model output, including financial losses, reporting errors, and poor risk or business decisions.

A core message is proportionality. The level of development, testing, validation, and documentation should be commensurate with how important the model is to the business and how complex and assumption‑driven it is. High‑impact, complex models used in critical decisions warrant more rigorous controls, whereas less material models may appropriately be subject to lighter oversight.

Key Themes

The guidance underscores that model development should start with a clear statement of purpose and be closely aligned with the model’s purpose, business use, and bank policy. The guidance notes that model development is not purely a technical exercise; a developer’s judgment, which is subjective, can influence model design, data inputs, assumptions and methodology. Therefore, sound development practices are critical for effective model risk management. Testing is a core part of development, and its rigor should match the model’s complexity and materiality.

Model validation remains a central concept that typically occurs prior to a model’s first use and is periodically repeated after implementation, depending on model risk. Banks are expected to assess whether a model is conceptually sound, performs as intended, and remains appropriate over time. Validation includes reviewing design choices and assumptions and comparing model outputs to actual outcomes or benchmarks. Monitoring is ongoing: as products, portfolios, and market conditions change, banks should watch for performance drift and adjust, recalibrate, or redevelop models as needed.

Throughout the model development process, “effective challenge” by qualified, independent experts is expected. Furthermore, governance should clearly define roles and responsibilities, maintain up-to-date model inventories, and ensure adequate documentation to support effective model risk management practices.

Third‑Party and Vendor Models

The federal agencies make clear that outsourcing model development or using vendor products does not outsource model risk. Banks are expected to understand, to the extent possible, how vendor models work and to monitor their performance on an ongoing basis. Where vendor models are customized, those customizations should be documented, justified, and incorporated into the model validation process. Any external work should be subject to appropriate oversight and integrated into the bank’s overall model risk framework.

Our Take

The revised guidance confirms that model risk management is a core supervisory priority, particularly for larger, model‑intensive organizations. By carving out generative and agentic AI models from the guidance scope, it will also eliminate prior regulatory uncertainty concerning that concept and foster banks’ ability to engage in model innovation.

While the guidance is nonbinding, it will inform examiner expectations around model inventories, materiality assessments, validation and monitoring practices, and governance for both internal and vendor models. Banking organizations, and in particular those above the $30 billion threshold, should review their current frameworks against the guidance and consider where enhancements to proportionality, documentation, governance, and oversight may be warranted.