risk Published: Updated: By

What is model risk management?

Quick answer

Model risk management (MRM) is the practice of identifying, assessing, and controlling risks that arise when banks use quantitative models to make decisions. The primary US regulatory framework is Federal Reserve and OCC guidance SR 11-7 (2011). Any model can produce wrong outputs; MRM is how banks limit that exposure.

The full answer

Model risk management (MRM) is the formal practice of identifying, measuring, monitoring, and controlling risks that come from using quantitative models in financial decision-making. It's not optional for regulated institutions. It's a regulatory requirement with documented enforcement consequences.

The US framework comes from SR 11-7, joint guidance from the Federal Reserve and OCC issued in April 2011. SR 11-7 defines a model as "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates." The definition is deliberately broad. It covers credit scoring, AML transaction monitoring, stress testing, fraud detection algorithms, customer risk rating engines, and interest rate risk models.

Models fail in two ways: design errors and misapplication. A credit model trained on pre-2008 data and deployed in 2009 was technically valid; it was just wrong for the context. That second failure mode is what gets banks in trouble. The model passed validation, the documentation looked fine, but outcomes diverged from predictions. SR 11-7 explicitly covers both failure modes.

SR 11-7 requires three things of every bank:

Model development and implementation. Sound design, documented assumptions, appropriate training data. The development team must demonstrate the model is fit for its stated purpose before it goes into production.

Independent model validation. A separate function, independent of the developers, challenges conceptual soundness, tests performance against benchmarks, and documents all findings. This is the function examiners examine most carefully. Validation can't be done by the team that built the model; that's not independence, it's review.

Ongoing monitoring. Models degrade. Data drifts. Customer behavior shifts. Regulatory definitions change. Banks must track outcomes against predictions and trigger re-validation when performance slips. The OCC's Model Risk Management handbook (2021) specifies that monitoring should be continuous, not a once-a-year exercise.

Every bank must also maintain a comprehensive model inventory: every model in production, its owner, its validation status, its risk tier, and its intended use. Examiners ask for this on day one of a model risk exam. Gaps in the inventory are findings before they've looked at anything else.

AI and machine learning models

AI-powered AML transaction monitoring sits squarely inside the SR 11-7 perimeter. So does any machine learning model driving customer risk ratings, fraud scoring, or sanctions screening decisions.

The challenge is interpretability. A logistic regression produces coefficients you can print and defend in a meeting with your primary regulator. A gradient boosted tree or a deep neural network doesn't work that way. US examiners and EU regulators are increasingly explicit that "the model said so" is not an acceptable explanation for a decision that affects a customer or generates a SAR.

The EBA Guidelines on Internal Governance (EBA/GL/2021/05) require institutions to ensure model transparency and auditability, including for AI-driven tools. Banks operating under EBA supervision face this requirement in addition to whatever local MRM framework applies.

The EU AI Act (Regulation 2024/1689) adds a further layer. AI systems used in credit scoring, AML monitoring, and related financial risk decisions fall under Annex III as high-risk AI systems. The Act requires conformity assessments, technical documentation, human oversight mechanisms, and post-market monitoring. For banks operating in the EU, MRM and AI Act compliance are now overlapping obligations. Who needs to comply with the EU AI Act includes any institution deploying AI in financial services in or into the EU.

What examiners actually check

When a regulatory exam covers model risk, examiners typically ask for:

  • The complete model inventory
  • Validation reports for tier-1 and tier-2 models
  • Evidence of independent validation: a separate team, documented findings, no shared management with developers
  • Ongoing monitoring reports showing performance metrics over time
  • Documentation of model changes and whether re-validation was triggered
  • Evidence that model outputs are reviewed by qualified staff before high-stakes decisions are made

Missing validation reports, stale monitoring data, or validators who weren't genuinely independent are standard grounds for MRAs.

Why this matters

MRM failures produce real enforcement actions. The sequence is predictable.

The OCC issues Matters Requiring Attention (MRAs) for model validation gaps as a routine exam finding. Persistent or serious failures escalate to Matters Requiring Immediate Attention (MRIAs), which require written remediation plans with firm deadlines. From there, the path leads to formal enforcement: consent orders, civil money penalties, or restrictions on new business activity.

What happens when a bank fails an AML exam is a useful reference. MRM failures in AML-adjacent models, specifically transaction monitoring systems and customer risk rating models, appear regularly in enforcement actions. A monitorship can explicitly require MRM remediation as a condition, with an independent monitor reviewing validation work until regulators are satisfied.

The performance argument is just as concrete. Roughly 95% of AML alerts are false positives at most institutions. That rate is a model performance signal. A well-governed MRM program catches model drift through ongoing monitoring and triggers re-tuning before the false-positive rate becomes a regulatory topic. Without that discipline, banks carry thousands of hours in wasted analyst reviews each year, while genuinely suspicious activity slips through a model calibrated for the wrong environment.

Customer risk ratings that don't get refreshed are the same failure in a different form. The model produces a score; nobody monitors whether the score still reflects reality; a customer rated low-risk in 2022 is still rated low-risk in 2025 despite changed transaction behavior. That's a model monitoring failure, and it's precisely what SR 11-7 requires banks to prevent.

The EU AI Act adds a commercial dimension. Non-compliance with high-risk AI requirements carries fines of up to 3% of global annual turnover. For a large institution, that's a material number. When the EU AI Act takes effect matters for planning the compliance investment.

Related questions

Related concepts and regulations

  • SR 11-7 (Federal Reserve / OCC, 2011): The foundational US guidance on model risk management. Sets the three-pillar framework: development, validation, and monitoring.
  • EU AI Act, Regulation 2024/1689, Annex III: Classifies AI in financial risk decisions as high-risk, adding conformity assessment and human oversight requirements on top of MRM.
  • EBA/GL/2021/05: EBA Internal Governance Guidelines requiring model transparency and auditability for institutions under EBA supervision.
  • What happens when a bank fails an AML exam? MRM failures in monitoring and risk-rating models are a recurring theme in AML enforcement actions.
  • What is a monitorship and when is one imposed on a bank? Monitorships sometimes include explicit MRM remediation requirements, with the monitor reviewing validation work until regulators are satisfied.
← All compliance questions