What SR 26-2 Means for Community and Regional Banks

Authors:
Brian Gilbert, Chief Banking Officer, Empyrean Solutions
Andrew Griffis, Finance Specialist, Empyrean Solutions

SR 26-2 is the Federal Reserve, FDIC, and OCC’s revised supervisory guidance on model risk management (MRM), issued jointly on April 17, 2026. It replaces SR 11-7, the framework that has governed how banks manage model risk for the past fifteen years, and it also supersedes SR 21-8, the 2021 interagency statement on model risk management for Bank Secrecy Act and anti-money laundering (BSA/AML) systems. The guidance is expected to be most relevant to banking organizations with more than $30 billion in total assets, but any institution using CECL, ALM, liquidity stress testing, BSA/AML monitoring, or other complex vendor models should read this guidance as directly applicable to them.

What Changed From SR 11-7?

The core framework from SR 11-7 is still intact: development, validation, and governance remain the three pillars of sound MRM. What SR 26-2 adds is proportionality. Governance now explicitly scales with the size and complexity of a bank’s model portfolio, so a community bank isn’t held to the same standard as a $100 billion institution. Machine learning models are now in scope, while generative and agentic AI are carved out.

SR 26-2 also drops several of SR 11-7’s fixed rules in favor of principles banks apply themselves. Where SR 11-7 expected validation “at least annually,” SR 26-2 asks banks to set their own frequency based on model purpose and pace of change, and document that judgment. Effective challenge now requires reviewers to have “the organizational standing and influence to effect any change,” not just technical independence: a validator who can flag a problem but can’t get it fixed isn’t providing effective challenge under the new guidance. One more practical point: SR 26-2 took effect immediately on issuance, with no formal notice-and-comment phase-in.

Does the $30 Billion Threshold Apply to My Bank?

SR 26-2 explicitly states that smaller institutions come into scope when they have significant model complexity or engage in activities outside traditional community banking. If your bank is making major decisions based on model outputs, examiners will expect your MRM practices to reflect that, regardless of your asset size. The $30 billion figure itself replaces a lower, inconsistent bar: the FDIC’s 2017 adoption of SR 11-7 had set a $1 billion threshold for its supervised institutions, so many smaller banks that were technically in scope before now have real relief.

Because SR 26-2 also replaces the 2021 BSA/AML statement, banks should fold AML and fraud-monitoring vendor systems into the same materiality-based inventory and governance approach they use for CECL and ALM models, rather than managing them under a separate standard.

What Is the Vendor Model Obligation Under SR 26-2?

This section is the most important for community and regional banks. Many of the models that institutions rely on, including CECL, ALM, and liquidity stress testing tools, are purchased from vendors rather than built in house. SR 26-2 is clear: buying a model doesn’t transfer the governance obligation. Your institution is still responsible for validating, monitoring, and documenting it.

One change worth flagging: SR 26-2 no longer carries forward SR 11-7’s formal expectation of a written vendor contingency plan. That gives institutions more flexibility, but the underlying risk, a vendor outage with no fallback, hasn’t gone away, so banks heavily dependent on one vendor for CECL or ALM should consider keeping that discipline voluntarily.

To meet the core obligation, your institution needs to:

  • Understand the model well enough to assess whether it’s appropriate for your specific use case.
  • Run ongoing outcomes analysis to confirm the model still performs as conditions in your portfolio and market evolve.
  • Document any customizations and include them in the validation process.
  • Decide, and document, your own validation frequency. SR 26-2 no longer prescribes a fixed cadence, so the choice, and the reasoning behind it, is now on you.

How Should Banks Govern Generative AI Under SR 26-2?

Generative and agentic AI are explicitly excluded from SR 26-2’s scope, since the agencies consider these technologies novel and rapidly evolving. Banks are expected to govern them using their own general risk management principles instead of a prescribed framework.

That exclusion applies to formal scope, not to risk. If a generative AI tool feeds output into a model that is in scope, for example, a document tool that spreads a borrower’s financials into a credit model feeding a CECL reserve calculation, examiners will follow that chain of accountability even though the GenAI step sits outside SR 26-2’s boundary. The practical task isn’t just deciding whether GenAI needs its own policy. It’s mapping where GenAI output touches a model already in scope and watching for the interagency request for information on AI model risk the agencies have signaled is coming.

Four Steps to Ensure Proper Governance

  • Review your model inventory. Make sure every model, including vendor models and BSA/AML monitoring systems, is documented with a clear picture of its materiality.
  • Assess vendor model governance. Do you have evidence of independent validation? Are you monitoring ongoing performance? Are customizations documented? Have you set, and written down, your own validation cadence?
  • Map your GenAI touchpoints. Identify every place a generative or agentic AI tool’s output flows into a model already governed by SR 26-2, and extend your existing controls to cover that handoff.
  • Track the forthcoming AI-specific guidance. Position your institution to respond when the interagency request for information on AI model risk is released.

Key Takeaways

SR 26-2 replaces SR 11-7 and the 2021 BSA/AML statement with one proportional framework built around model materiality. It targets banks over $30 billion in assets, but community and regional banks with vendor-built models, including BSA/AML systems, remain squarely in its reach. The biggest shift for smaller institutions: buying a model doesn’t buy your way out of validating, monitoring, and documenting it, and rules SR 11-7 fixed for you, like annual validation and vendor contingency plans, are now judgment calls you have to make and document yourself. GenAI stays outside formal scope for now, but risk doesn’t stop at that boundary.

Interested in learning more?

Get a Demo

Frequently Asked Questions

Does SR 26-2 apply to my community bank?

Mainly banks over $30 billion in assets, but it still applies to smaller institutions with significant model complexity or heavy reliance on vendor models such as CECL or ALM.

Is SR 26-2 legally enforceable?

No. Non-compliance with the guidance alone won’t trigger supervisory criticism, though examiners can still act on unsafe or unsound practices tied to poor model risk management.

Does SR 26-2 cover generative AI or agentic AI?

No. Banks must govern GenAI using their own risk principles, and the agencies have signaled a forthcoming request for information focused specifically on AI model risk.


 Empyrean Solutions works with banks and credit unions on the systems this guidance covers most directly, including CECL, ALM, and liquidity stress testing. If your institution is reassessing model governance under SR 26-2, our team can help you think through the inventory and vendor validation questions above.

This article is for informational purposes only and does not constitute legal or regulatory advice. Consult your institution’s legal or compliance counsel for guidance specific to your circumstances. Full text of the guidance is available from the Federal Reserve: SR 26-2, Revised Guidance on Model Risk Management (April 17, 2026).

https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm