An official website of the United States government
OCC Bulletin 2026-13 | April 17, 2026
Share This Page:
Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Federal Reserve Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the agencies) are issuing updated interagency guidance and this bulletin to clarify model risk management principles, to set forth a risk-based approach to model risk management, and to rescind prior model risk management guidance and other issuances.
This bulletin rescinds
This guidance is applicable to all community banks, subject to the limitations discussed in the guidance.1
In April 2011, the OCC and the Federal Reserve Board issued supervisory guidance on model risk management (2011 guidance), which the OCC and Federal Reserve Board developed jointly.2 In June 2017, the FDIC adopted the 2011 guidance, with technical conforming changes.3 The agencies subsequently issued additional items that served to inform examiner and industry understanding of model risk management, including the OCC’s “Model Risk Management” booklet of the Comptroller’s Handbook, along with the 2021 Interagency Statement on Model Risk Management for Bank Systems Supporting BSA/AML Compliance and the related request for information. In addition, while OCC Bulletin 1997-24, including its appendix, predate the 2011 guidance, that bulletin discusses credit score modeling practices.
Based on supervisory experience and industry feedback, as well as technological advancements in modeling over the past several years, the agencies are issuing this guidance to clarify model risk management principles and to set forth a risk-based approach to model risk management, tailored to a banking organization’s model risk profile and the size and complexity of its operations. In particular, the agencies are updating and replacing the 2011 guidance with this updated guidance and rescinding the additional items discussed above. The OCC previously began to address technological, supervisory, and other developments by clarifying the scope of model risk management under existing guidance while acknowledging that the OCC will continue to review model risk management guidance.4
For the purposes of this guidance, the term “model” refers to a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates. The term “model” in this guidance excludes simple arithmetic calculations, such as those found within spreadsheets, as well as deterministic rule-based processes and software where there are no statistical, economic, or financial theories underpinning their design or use. Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance. Furthermore, this guidance is expected to be most relevant to banking organizations with over $30 billion in total assets. However, in some situations, this guidance also may be relevant to banking organizations with total assets of $30 billion or less that have significant exposure to model risk because of the prevalence and complexity of their models or because of activities outside the scope of traditional community banking.
This guidance highlights sound principles for effective model risk management. In particular, the guidance discusses the factors that influence model risk and the features of effective (1) model development and model use, including model testing; (2) model validation and monitoring, including validating conceptual soundness and outcomes analyses; and (3) governance and controls, including clear policies and roles and responsibilities. The guidance also discusses considerations specific to vendor and other third-party products, including validation of these products. However, as the guidance makes clear, the guidance does not set forth enforceable standards or prescriptive requirements.
The agencies will continue to consider additional measures to address model risk management consistent with broader supervisory and other goals. For example, the agencies plan to issue in the near future a request for information that addresses model risk management generally and considers, in particular, banks’ use of AI, including generative AI and agentic AI and AI-based models.
Please contact Chau Do, Chief Economist and Deputy Comptroller for Economics in the Office of the Chief National Bank Examiner (CNBE), at 202-649-5490.
James M. Gallagher Senior Deputy Comptroller and Chief National Bank Examiner
1 “Banks” refers collectively to national banks, federal savings associations, and federal branches and agencies of foreign banking organizations.
2 OCC Bulletin 2011-12, “Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management”; Supervision and Regulation Letter 11-7, “Guidance on Model Risk Management” (April 4, 2011).
3 Financial Institution Letter-22-2017, “Adoption of Supervisory Guidance on Model Risk Management” (June 7, 2017).
4 Refer to OCC Bulletin 2025-26, “Model Risk Management: Clarification for Community Banks,” noting, for instance, that “OCC’s guidance on model risk management does not, and should not be interpreted to, require community banks to perform annual model validation.”
