What is SR 11-7?

The full answer

SR 11-7 is the Federal Reserve's April 2011 supervisory guidance on model risk management, issued jointly with the OCC as OCC Bulletin 2011-12. Together they set the U.S. standard for how banks must identify, measure, and control the risks that come from using quantitative models in decisions.

The guidance defines a "model" broadly: any quantitative method or system that uses statistical, economic, financial, or mathematical theories to translate inputs into quantitative estimates. Credit scorecards, interest rate risk models, market VaR frameworks, stress testing, fraud detection scores, and AML transaction monitoring systems all qualify. If it processes data to produce a number that drives a decision, it's a model.

Three obligations run through the guidance:

Sound development and use. Developers must document the model's purpose, theoretical basis, data inputs, limitations, and performance benchmarks. The documentation must be thorough enough for an independent reviewer to understand and challenge the work. Undocumented models are a findings report waiting to happen.

Independent validation. A team without a stake in the model's success must evaluate conceptual soundness, test against outcomes data, and run sensitivity analyses. Ongoing monitoring is required after go-live. If performance degrades, someone needs to catch it before examiners do.

Governance and controls. Banks must maintain a complete model inventory. Senior management reports aggregate model risk to the board. Policies must cover the full lifecycle: approval, change management, decommissioning.

In April 2021, five federal agencies (the Fed, OCC, FDIC, FinCEN, and NCUA) issued a joint interagency statement explicitly applying SR 11-7 to BSA/AML systems. Every rule-based AML scenario and every machine learning model used to generate alerts is in scope. That statement ended any ambiguity about whether AML monitoring needed formal model validation.

Why this matters

A bank with 200 models in production and no formal validation program is carrying examination risk it may not see coming. Examiners treat model governance as a proxy for institutional discipline. Weak documentation on a credit model or an unvalidated AML monitoring system shows up in MRA (Matter Requiring Attention) findings. Repeat findings escalate.

The highest-profile SR 11-7 failures tend to involve models that ran for years without recalibration. SR 11-7 was written partly in response to the 2008 crisis, where risk models dramatically underestimated correlated defaults. Regulators have long memories on this point.

For AML specifically, false positive rates that run at 95% or higher often reflect a model performance problem, not just a tuning issue. If the underlying model was never validated against current typologies or recalibrated as customer behavior shifted, it's generating noise instead of signals. SR 11-7 governance is the mechanism for catching that before an examiner does.

Banks using AI for AML transaction monitoring face a harder validation problem. Machine learning models can drift silently, and the explainability requirement under SR 11-7 is genuinely difficult for some architectures. Regulators haven't relaxed the standard for AI. If anything, examiners are more focused on documentation and explainability for machine learning models than for traditional statistical ones.

Weak model governance is one of the patterns that draws examiner attention. A whistleblower complaint about a defective AML model, or a sudden spike in false negatives caught by FinCEN, can prompt an unscheduled review. If an exam goes badly, model governance findings compound other deficiencies already on the table.

The risk scoring models that drive customer risk classification are also in scope. A bank that refreshes CDD and EDD data on schedule but hasn't validated the underlying scoring model in three years has a gap in its SR 11-7 program, even if everything else looks clean.

For institutions with European operations, the EU AI Act's high-risk AI category covers credit scoring and AML systems. The documentation, testing, and oversight requirements run parallel to SR 11-7 in several respects. Banks operating in both jurisdictions will find meaningful common ground between the two frameworks, though the enforcement mechanisms differ.

Related questions

• Can AI be used for AML transaction monitoring?
• What triggers a regulatory exam?
• What happens when a bank fails an AML exam?
• What percentage of AML alerts are false positives?

Related concepts and regulations

• How often should customer risk ratings be refreshed?
• What is the difference between CDD and EDD?
• Who needs to comply with the EU AI Act?
• When does the EU AI Act take effect?
• What is a monitorship and when is one imposed on a bank?