What changes with SR 26-2?

SR 26-2 is the new joint federal guidance on model risk management in U.S. banking, replacing SR 11-7 after 15 years. The biggest operational change: annual revalidation is out, risk-based oversight tied to model materiality is in, and the institutions that treat it only as a compliance update will miss what that shift actually requires.

The question shifts from 'are we following the rules' to 'is our discipline defensible on its own terms.'

That is a harder question for institutions to answer.

1. Shorter, softer, principles-based

SR 11-7 ran about 20 pages of dense, prescriptive expectations. SR 26-2 is roughly half the length and reads differently. The introductory letter states directly that the guidance does not set forth enforceable standards or prescriptive requirements, and that non-compliance will not, on its own, result in supervisory criticism.

For years, SR 11-7 had been enforced as de facto binding, with deviations triggering Matters Requiring Attention and driving ratings downgrades. A 2019 GAO ruling even classified it as a rule under the Congressional Review Act, even though the agencies had not formally submitted it to Congress. SR 26-2 closes that gap explicitly: this is principles, not a rulebook enforced clause by clause.

For the largest banks, the day-to-day exam experience will not feel dramatically different. Effective challenge, validation, monitoring, and governance are all still expected. What changes is how examinations are conducted, with examiners focusing less on specific paragraph numbers and more on whether an institution's risk discipline is defensible on its own terms.

2. Scope narrowed to institutions above $30 billion

SR 26-2 is explicitly tailored to banking organizations with more than $30 billion in total assets. Smaller institutions are covered only when model use is significant or when activities fall outside traditional community banking. This formalizes a trend OCC Bulletin 2025-26 started last September, which clarified that annual validation was not a community bank requirement.

For regional and community banks, this is real relief. For Tier 1 banks, nothing about applicability changed.

3. The definition of "model" got tighter

SR 11-7's model definition was famously expansive, pulling end-user computing spreadsheets, rule engines, and simple workflow tools into scope at many institutions – creating model inventories difficult to tier, govern, and maintain.

SR 26-2 excludes "simple arithmetic calculations, such as those found within spreadsheets, as well as deterministic rule-based processes and software" from the definition of a model. The definition itself adds the word "complex" and requires the system to apply statistical, economic, or financial theory.

Banks that had been treating EUC spreadsheets as in-scope models can formally retire that classification. Whether they should retire the governance discipline that went with it is a separate, important question.

4. Annual review cycles replaced with risk-based cadence

SR 11-7's pattern of annual revalidation, interpreted as a default across materiality levels, is gone. SR 26-2 reframes validation frequency as a function of materiality, change velocity, and data availability, with explicit triggers for re-review. For most institutions, this is the biggest operational change.

The regulation also formalizes materiality as the combination of model exposure (the dollar magnitude of decisions the model drives) and model purpose (regulatory vs. internal decision-support), modulated by inherent risk. High-materiality models get intensive oversight. Immaterial models can be maintained in inventory with lightweight controls, provided there is a mechanism to detect when they become material.

Banks running a full re-tiering exercise in the next 90 days should expect a distribution where 10 to 30% of legacy models shift tier, mostly downward, with some upward adjustments for regulatory reporting and BSA/AML uses.

5. Independence is now about rigor, not reporting line

SR 11-7 was read by most banks as requiring structural independence between model developers and validators, which in practice meant separate reporting lines. SR 26-2 states directly that "the quality of validation process depends on the rigor and effectiveness of the review rather than on organizational structure."

Validators can now sit closer to development, provided the rigor of the review is demonstrable and conflicts are managed. This provides explicit regulatory cover for organizations that want to embed governance into the model development lifecycle rather than wait for a handoff at the end. Many Domino customers call this shifting governance left – and it now has a formal supervisory basis.

6. Generative AI and agentic AI are explicitly carved out

SR 26-2 states: "Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance."

Out of SR 26-2 scope is not the same as out of governance scope — institutions still need a parallel framework to govern generative AI and agentic systems that the guidance deliberately left out. Other frameworks already apply to GenAI, the EU AI Act, state laws in Colorado and Texas, and NIST’s AI Risk Management Framework, with more likely to come. The constructive posture is to govern GenAI under a parallel bridge track now, positioned to manage whatever comes next.

What did not change

The intellectual architecture from SR 11-7 is preserved. Effective challenge remains the core governance principle. The three validation pillars, conceptual soundness, outcomes analysis, and ongoing monitoring, remain. Third-party and vendor model validation remains a distinct requirement, with banks accountable for outsourced models.

SR 26-2 is a refinement of the framework, not a repudiation of it.

The executive questions

SR 26-2 is a starting point, not an arrival. Three questions belong on the executive agenda now.

1. How defensible is our current risk posture on its own terms, now that the prescriptive rulebook has lessened?
   SR 26-2 removed the checklist. The real test now is to look at every control in your program and ask whether you can articulate the risk it manages, independent of what the guidance requires. The ones you can't are your exposure.
2. How do we govern the AI and GenAI systems that the regulation carved out, before the next wave of governance arrives?
   A parallel bridge track that mirrors SR 26-2 principles where they fit and adds GenAI-specific controls elsewhere is the architecture that survives both the current regulatory gap and what comes next.
3. How do we build a function that absorbs the next regulatory change without a multi-month rebuild?
   The institutions that answer this well will gain an advantage through multiple regulatory cycles, not just this one.

Let’s continue this SR 26-2 conversation at Rev New York on May 19th, Domino's annual FSI conference. David Palmer, author of SR 11-7, is keynoting, and I’ll be leading a panel with model risk management leaders from Capital One, TIAA, and New York Life. Register now →