SR 11-7 vs. SR 26-2: Model Risk Management Modernization

On April 17, 2026, the Federal Reserve issued SR 26-2, superseding SR 11-7 and the 2021 interagency statement addressing BSA/AML systems. While the new guidance preserves the foundational principles of sound model risk management (MRM), it introduces a more modern, risk-based, and scalable supervisory framework. 

For institutions that have built programs around SR 11-7, the practical takeaway is not a wholesale redesign—but rather an opportunity to recalibrate governance, inventories, validation cycles, and documentation standards to align with a more proportionate supervisory approach. 

Bottom Line Summary 

SR 26-2 retains the core disciplines of strong model governance, independent review, validation, and controls—but shifts supervisory expectations toward tailoring, materiality, and practical implementation based on each institution’s model risk profile. 

SR 26-2 is less about lowering standards and more about modernizing expectations. It preserves the discipline of sound model risk management while allowing institutions to apply those disciplines more intelligently, proportionately, and efficiently. 

For many organizations, this is an opportunity to simplify legacy frameworks built under SR 11-7 without sacrificing regulatory defensibility.

• SR 11-7 = Foundational, detailed operating framework  
• SR 26-2 = Modernized, principles-based supervisory framework  

Tailoring Is Now Explicit 
SR 26-2 more clearly aligns expectations to institution size, complexity, and model footprint—supporting more proportionate frameworks for mid-size and regional institutions.  

Narrower Definition of “Model” 
Simple calculators, deterministic tools, and many spreadsheets may fall outside formal MRM scope—creating an opportunity to refine inventories.  

Validation Can Be Smarter 
Validation timing and intensity may now better reflect materiality rather than default annual cycles.  

Materiality Is Front and Center 
Purpose, exposure, inherent risk, and reliance determine control rigor.  

AI Requires Separate Governance Thinking 
Generative and agentic AI are explicitly outside the guidance’s scope, signaling likely future regulatory treatment elsewhere.  

Despite modernization, regulators continue to expect: 

Strong Governance 
Clear accountability for model ownership, use, review, and remediation.  

Independent Challenge 
Objective review by qualified personnel with authority and expertise.  

Validation Discipline 
Conceptual soundness, performance analysis, and ongoing monitoring remain central.  

Vendor Accountability 
Institutions remain responsible for third-party model outputs and limitations.  

Documentation 
Sufficient records to evidence decisions, controls, assumptions, and remediation.  

MRM leadership teams should view SR 26-2 as a strategic inflection point rather than a compliance burden. Key questions to consider include: 

• Is our current model inventory overly broad under the new definition?  
• Are validation cycles appropriately risk-based or still legacy-driven?  
• Does our tiering methodology clearly reflect exposure and materiality?  
• Have we separated traditional MRM from emerging AI governance?  
• Can governance committees be simplified while preserving control effectiveness?

SR 26-2 signals a clear regulatory direction: precision over volume, risk alignment over uniformity, and governance effectiveness over procedural rigidity. 

Institutions that proactively realign their MRM frameworks—by simplifying inventories, sharpening risk tiering, and modernizing validation approaches—will not only meet supervisory expectations but also improve operational efficiency and decision-making clarity. 

This is less a regulatory reset than an opportunity to build a more agile, defensible, and future-ready model risk management framework.