The Office of the Comptroller of the Currency (OCC), the Federal Reserve Board, and the Federal Deposit Insurance Corporation (FDIC) jointly issued revised interagency model risk management (MRM) guidance on April 17, 2026, replacing a framework that had governed bank model risk practices since 2011. Published as OCC Bulletin 2026-13, the updated guidance introduces explicit requirements for data lineage documentation in high-risk models and for the validation of vendor and third-party products-including AI-enabled services-while signaling that a dedicated request for information (RFI) on generative and agentic AI is forthcoming.
Background
On April 17, 2026, the Federal Reserve, FDIC, and OCC replaced SR 11-7, OCC 2011-12, FIL-22-2017, and related BSA/AML issuances with a more risk-based, principles-driven MRM framework. The prior framework, originally developed jointly by the OCC and Federal Reserve in 2011 and later adopted by the FDIC in 2017, had driven substantial compliance investment but was widely misread as imposing prescriptive, one-size-fits-all requirements. The April 17 issuance marks a significant evolution in regulatory expectations for how financial institutions identify, measure, and mitigate risks associated with quantitative models.
The revision arrives as banks increasingly rely on external data feeds, automation platforms, and third-party AI vendors to power credit underwriting, fraud detection, and workflow automation. The proliferation of third-party AI vendors prompted regulators globally to issue comprehensive oversight requirements; the U.S. Interagency Guidance on Third-Party Relationships: Risk Management from June 2023 recognizes that AI models pose similar risks whether developed internally or purchased from vendors, requiring consistent oversight.1OCC Issues Updated Model Risk Management Guidance | OCC Critically, regulators emphasize that institutions cannot outsource accountability.2Model Risk Management in 2026: A Banker’s Guide to the Revised Interagency Guidance | Databricks Blog
Key Details
The OCC, Federal Reserve Board, and FDIC issued the updated interagency guidance to clarify MRM principles, establish a risk-based approach, and rescind prior MRM guidance and related issuances.
Three provisions are particularly relevant to AI data governance. First, the revised guidance explicitly addresses vendor and third-party products, including their validation. It discusses factors that influence model risk and features of effective model development and use, model validation and monitoring, and governance and controls-with specific considerations for vendor and third-party products.
Second, the guidance explicitly requires institutions to document the lineage and quality of data inputs used in high-risk models, on the basis that model output is only as reliable as the underlying data, according to analysis by Schneider Downs.
Third, the guidance introduces a risk-based tiering approach under which each model must sit in a tier reflecting inherent risk, exposure, and purpose, with tier-one material models carrying full lifecycle oversight. Development, validation, deployment, monitoring, and retirement are now treated as a single governed chain, and supervisors expect lineage across every link-not snapshots at hand-off points.
On scope and enforceability, the guidance is expected to be most relevant to banking organizations with over $30 billion in total assets, but is designed to scale based on actual model risk exposure rather than asset size alone, according to the OCC. The guidance does not set forth enforceable standards or prescriptive requirements, and non-compliance will not result in supervisory criticism.
Generative and agentic AI models are not covered under the current framework. These models are novel and rapidly evolving, placing them outside the scope of this guidance. However, the agencies note that a banking organization's existing risk management and governance practices should guide appropriate controls for any tools, processes, or systems the document does not cover.
Outlook
The OCC, Federal Reserve Board, and FDIC plan to issue in the near future an RFI addressing MRM broadly and considering, in particular, banks' use of AI-including generative AI, agentic AI, and AI-based models. The forthcoming RFI is expected to address the governance gap for AI-enabled workflow agents that rely on third-party data integrations, an area where supervisory expectations remain incomplete. The April 2026 guidance is not the last supervisory action in this cycle; agentic AI principles, third-party model oversight, and climate risk modeling are all in motion. Compliance teams at large institutions should reassess model inventories, update vendor contract provisions to include data provenance and validation rights, and begin mapping AI data flows in anticipation of the forthcoming interagency RFI.
