SR 11-7: What It Requires and Who It Applies To

What is SR 11-7?

SR 11-7 is supervisory guidance on model risk management issued by the Federal Reserve Board in April 2011 and simultaneously adopted by the OCC as Bulletin 2011-12. It is the defining U.S. regulatory standard for how banks must develop, validate, and oversee the quantitative models that drive their business and risk decisions.

The context matters. The 2008 financial crisis exposed how badly model failures had amplified systemic damage. Banks had placed enormous weight on credit risk models, mortgage valuation engines, and capital adequacy calculations without adequately testing their assumptions or challenging their outputs. When those models broke, the losses were catastrophic and fast. SR 11-7 was the direct regulatory response.

The guidance defines "model" broadly. Any quantitative method, system, or approach that uses statistical, economic, financial, or mathematical logic to process inputs into estimates used for business decisions qualifies. That scope is wide by design. Credit scoring engines, DFAST stress test models, CECL loan loss provisions, AML transaction monitoring systems, market risk VaR calculations, and vendor-supplied pricing tools all fall within it.

Three pillars structure the guidance: sound model development and implementation, effective challenge through independent validation, and governance with clear board accountability. Regulators apply SR 11-7 as a baseline expectation during examinations, not a best-practice suggestion. The document is written in principles-based language, which gives examiners wide discretion to cite deficiencies. Since 2011, the Federal Reserve and OCC have referenced SR 11-7 in supervisory findings at dozens of institutions, from regional banks to global systemically important institutions.

Who does SR 11-7 apply to?

SR 11-7 applies to any institution supervised by the Federal Reserve or the OCC that uses models in its operations. There's no explicit asset-size threshold baked into the guidance itself, though the degree of rigor expected scales with the institution's complexity and its reliance on models.

Covered entity types include:

• National banks chartered by the OCC under the National Bank Act, regardless of size
• Federal savings associations, OCC-supervised thrift institutions
• State member banks, chartered by state regulators but members of the Federal Reserve System
• Bank holding companies and their subsidiaries, supervised by the Federal Reserve
• Savings and loan holding companies, Federal Reserve-supervised
• U.S. branches and agencies of foreign banks where the OCC or Fed holds supervisory authority
• Community banks using any quantitative models in credit, pricing, or risk decisions (proportionality applies, but the obligations still exist)
• Edge Act corporations and agreement corporations supervised by the Federal Reserve

In practice, scrutiny intensifies at larger institutions. Banks with more than $100 billion in assets must also comply with Dodd-Frank Act stress testing and CCAR requirements, both of which treat SR 11-7 compliance as a precondition. Any institution using AI or machine learning models for credit underwriting, fraud detection, or portfolio management is explicitly in scope. State non-member banks supervised by the FDIC are not directly subject to SR 11-7, but the FDIC has issued parallel guidance that mirrors most of its substance.

The guidance doesn't stop at in-house models. Vendor-supplied tools, off-the-shelf scoring engines, and third-party risk systems are all covered. "We bought it" is not an acceptable defense during examination.

What does SR 11-7 require?

The guidance imposes obligations across three areas: model development and implementation, independent validation, and governance.

Model development and implementation:

1. Maintain a complete, current model inventory that identifies every model in use, its purpose, its owner, its risk tier, and its last validation date
2. Document model design, mathematical logic, data inputs, assumptions, and intended use scope at the time of development
3. Test models with out-of-sample and out-of-time data before deployment; performance benchmarks must be defined before results are known, not reverse-engineered afterward
4. Assess whether a model is appropriate for its intended use, including any secondary uses beyond those originally designed
5. Apply the same standards to vendor-supplied models; institutions must understand what third-party models do, obtain conceptual summaries from vendors, and conduct their own outcomes testing

Independent validation:

6. Validation must be performed by staff or teams with no involvement in model development, backed by actual reporting-line separation, not just informal distance
7. Validation scope must include conceptual soundness review, outcomes analysis, sensitivity testing, and benchmarking against alternatives
8. "Effective challenge" is a specific requirement: validators must have the authority and domain expertise to question assumptions, not just confirm that documentation exists
9. Validation frequency is risk-based; material models should be reviewed at least annually, and any significant change to a model's design, data, or use context triggers an out-of-cycle validation

Governance:

10. A written model risk management policy, approved by the board of directors, covering scope, tiering criteria, roles, and escalation paths
11. Senior management accountability for model risk, with direct escalation routes to the board
12. Formal processes for approving model changes, retiring decommissioned models, and managing inventory gaps when undocumented models are discovered

What evidence do regulators expect?

Examiners from the OCC and Federal Reserve expect documentation across the entire model lifecycle. Walking into an exam without this paper trail is the fastest way to collect a Matter Requiring Attention.

Audit-day checklist:

• A written, board-approved model risk management policy covering scope, risk tiering criteria, governance structure, and escalation paths
• A complete model inventory with each model's name, owner, purpose, risk tier, last validation date, and validation status
• Validation reports for all material models, signed off by an independent party, covering conceptual soundness review, outcome testing, and benchmarking results
• Evidence of actual organizational separation between model developers and validators through different reporting lines, not just different offices
• Senior management model risk committee minutes showing escalation of high-risk model findings and board-level awareness of material exceptions
• Written records of effective challenge: validator concerns raised in writing, with documented resolution or formally accepted risk exceptions
• Ongoing performance monitoring logs for active models, with evidence that monitoring results feed back into revalidation triggers
• Training records showing model users and risk staff understand the models they rely on, including their limitations
• Third-party model due diligence records, especially for vendor tools where full methodology disclosure is restricted
• Approval documentation for all model changes, scope extensions, and version updates

Examiners pay close attention to AI and machine learning models because black-box model risks and limited explainability create the exact gaps that SR 11-7's effective challenge requirement was designed to close.

Common failure modes

Most SR 11-7 findings cluster around a handful of recurring gaps rather than novel violations.

• Incomplete model inventory. Banks regularly discover undocumented models during examinations. A business line builds a scoring tool for one purpose, it gets repurposed across the organization, and the risk management function doesn't know it exists until an examiner finds it. Inventory gaps are one of the most common MRA triggers.

• Nominal independence in validation. Organizational separation on paper doesn't satisfy the guidance if validators report to the same senior manager as developers, or if business lines set validation timelines and budgets. Examiners are experienced at identifying independence that exists only on an org chart.

• Validation without effective challenge. Reports that confirm a model is "functioning as designed" without questioning whether the design is appropriate fall short of the standard. Regulators want documented evidence of push-back, not sign-off. A validation that never disagrees with anything is itself a finding.

• Vendor model pass-through. Treating a third-party model as a black box because the vendor won't disclose full methodology is a consistent examiner target. SR 11-7 requires adequate understanding of all models, which means banks must push vendors for conceptual summaries and conduct their own outcomes testing.

• Stale validation schedules. Models that haven't been validated in two or three years while their input data has shifted, the business context has changed, or the regulatory environment has evolved are a recurring examination target. This problem is common in credit models originally built during a benign rate environment and left untouched through rate cycle changes.

• Governance gaps for AI/ML. AI governance in financial services is increasingly the area where OCC and Fed examiners focus, as many institutions have deployed machine learning models faster than their MRM frameworks have adapted. The OCC's Semi-Annual Risk Perspective has flagged model risk governance as a recurring supervisory concern, with AI-driven decisioning systems receiving specific attention.

Penalties for non-compliance

SR 11-7 is supervisory guidance, not a statute, so there's no penalty schedule attached to the document itself. The enforcement consequences flow through the OCC's and Federal Reserve's examination authority and administrative action powers under 12 U.S.C. § 1818.

In practice, failures produce a spectrum of outcomes:

• Matters Requiring Attention (MRAs): Non-public supervisory findings that require a written remediation plan and a defined timeline. Multiple open MRAs for model risk management signal a systemic governance failure and attract intensified supervisory attention.
• Matters Requiring Immediate Attention (MRAAs): More severe findings requiring faster remediation, typically within 30 to 90 days, often connected to safety-and-soundness concerns.
• Formal Agreements and Consent Orders: Public actions that restrict certain business activities and require board-level commitments until deficiencies are remediated. These are published in the OCC's enforcement action database.
• Civil Money Penalties: Up to $1 million per day per violation under 12 U.S.C. § 1818(i), with repeat or willful violations subject to $1 million per violation.

The clearest enforcement benchmark is the 2020 action against Citibank, N.A. The OCC issued a formal agreement and imposed a $400 million civil money penalty for risk management failures that included data governance and model oversight deficiencies. The Federal Reserve issued a concurrent consent order. Total remediation costs, including system rebuilds and staffing, ran into the billions.

In 2022, the OCC fined Morgan Stanley $60 million over data management failures tied to decommissioned technology systems, citing inadequate model and system inventory controls. Model inventory failures aren't abstract compliance findings; they attract material penalties.

For institutions where BCBS 239 deficiencies co-exist with SR 11-7 gaps, examiners frequently cite both frameworks in the same examination cycle.

Related regulations and frameworks

SR 11-7 sits within a dense cluster of related requirements. Managing model risk in isolation from the adjacent regulatory landscape produces compliance gaps.

Domestic:

• DFAST and CCAR: Dodd-Frank Act stress testing requirements explicitly require SR 11-7-compliant model governance for capital models. Any bank with over $100 billion in assets must treat its stress test models as material models subject to the full development, validation, and governance cycle. The Federal Reserve's DFAST supervisory guidance references SR 11-7 directly.
• CECL (ASC 326): Credit loss provisioning models built under FASB's CECL standard must satisfy SR 11-7 validation requirements. The OCC, Fed, and FDIC issued joint guidance in 2019 confirming this link.
• BSA/AML compliance: Banks that use machine learning for transaction monitoring and SAR filing decisions must validate those models under SR 11-7. Examiners from FinCEN, OCC, and the Fed increasingly coordinate on findings that span both AML governance and model risk.

International equivalents:

• SS5/21 (UK-PRA): The Prudential Regulation Authority's model risk management supervisory statement, published in May 2023, closely mirrors SR 11-7 and applies to all UK PRA-supervised banks and insurers. The two frameworks are compatible and can be addressed through a unified MRM program with jurisdiction-specific documentation.
• BCBS 323: The Basel Committee's operational risk guidance addresses model risk as a component of operational risk capital requirements for internationally active banks.
• EU AI Act (EU): For AI-based credit scoring, fraud detection, and risk management models used in the EU, the AI Act's high-risk system classification adds conformity assessment obligations that layer on top of SR 11-7-equivalent requirements. Banks operating across both jurisdictions face additive obligations.

SR 11-7 is also the domestic framework most frequently cited alongside supervisory guidance on climate-related financial risk models, where the Fed's November 2023 pilot for the six largest U.S. banks treated model governance as a prerequisite.

How FluxForce supports SR 11-7 compliance

FluxForce's AI agents generate full decision trails for every risk determination. Model validators get the documentation they need to demonstrate effective challenge. Nova Sentinel and Aiden Flux maintain structured logs of inputs, weightings, and outputs across each assessment cycle. The platform's built-in model monitoring provides the ongoing performance tracking SR 11-7 requires, with automated alerts when model behavior shifts outside defined tolerances. Its regulatory compliance automation capabilities connect model governance workflows to examination-ready reporting. See it in practice with a live demo.