What is SR 11-7?
SR 11-7, formally titled "Supervisory Guidance on Model Risk Management," is Federal Reserve supervisory guidance issued on April 4, 2011, in conjunction with OCC Bulletin 2011-12. The guidance establishes expectations for how banks identify, manage, and control model risk across all quantitative methods used for business decisions.[1]
Regulatory Definition of a Model
SR 11-7 defines a model with three components:
"The term 'model' refers to a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates."
A model consists of three components: (1) an information input component, (2) an estimation component that transforms inputs into estimates, and (3) a reporting component that translates estimates into useful business information.[1]
This definition is intentionally broad. It encompasses traditional statistical models (linear regression, logistic regression, time series forecasting), as well as modern machine learning systems, neural networks, and generative AI applications. If a system processes data through mathematical transformations to produce quantitative outputs used for business decisions, it falls within scope.
Applicability
SR 11-7 applies to all Federal Reserve-supervised institutions, including:
- Bank holding companies (BHCs)
- Savings and loan holding companies (SLHCs)
- State member banks
- Foreign banking organizations (US operations)
The companion OCC Bulletin 2011-12 extends the same requirements to national banks and federal savings associations. Together, these documents establish model risk management as a supervisory expectation across the entire US banking system.[4]
Why SR 11-7 Matters for AI
When SR 11-7 was issued in 2011, banks primarily deployed traditional statistical models: credit scorecards, loss forecasting models, stress testing frameworks. The guidance focused on validating linear assumptions, parameter stability, and economic theory.
By 2025, the model landscape has fundamentally changed. Banks now deploy:
- Fraud detection ML models that analyze transaction patterns in real-time
- Large language models for customer service, compliance monitoring, and document generation
- Neural networks for credit underwriting, trading algorithms, and anti-money laundering (AML)
- Third-party AI APIs where the bank has no visibility into training data or model architecture
The Federal Reserve confirmed in 2024 guidance that AI/ML models fall squarely within SR 11-7 scope, stating regulators expect banks to apply the same rigor to AI systems as to traditional models—regardless of complexity or vendor source.[5]
The AI Validation Challenge
Traditional model validation relies on three pillars: conceptual soundness review, ongoing performance monitoring, and outcomes analysis. These work well for transparent models with documented assumptions.
AI introduces fundamental challenges:
Traditional Models vs. AI Systems
| Dimension | Traditional Models | AI/ML Systems |
|---|---|---|
| Explainability | Coefficients interpretable; economic theory clear | Black-box; feature interactions opaque |
| Stability | Parameters fixed unless manually updated | Continuous learning; drift over time |
| Training Data | Documented, version-controlled | Often proprietary; internet-scale corpora |
| Validation | Hold-out testing; sensitivity analysis | Adversarial testing; bias metrics; hallucination rates |
| Vendor Models | Source code review possible | API access only; no code visibility |
Despite these differences, regulators expect banks to demonstrate effective challenge of AI models—meaning independent validators must critically assess whether the model is appropriate for its intended use, performs as expected, and produces fair outcomes.[6]
Core Requirements
SR 11-7 organizes model risk management around three core activities: model development and implementation, model validation, and model use. Banks must establish controls across the entire model lifecycle.
1. Model Development, Implementation, and Use
The guidance requires rigorous standards for model development:
Design and Construction
Models should be based on sound theory and documented judgments. Development teams must articulate why specific modeling techniques were chosen, what alternatives were considered, and what assumptions underpin the approach. For AI systems, this includes choice of architecture, feature engineering, and training methodology.[1]
Testing Prior to Implementation
Before deployment, models must be rigorously tested using representative data. Testing should assess accuracy, robustness to input variations, and performance across different scenarios. Banks must document test results, limitations identified, and any compensating controls implemented to address weaknesses.[1]
Implementation and Integration
Deploying a model involves integration with data systems, decision workflows, and reporting infrastructure. Implementation must be controlled through change management processes. Banks should establish clear policies defining authorized model uses and prohibiting unauthorized applications.[1]
Ongoing Monitoring
Once in production, models require continuous monitoring. Banks must track actual vs. predicted performance, detect degradation, and identify emerging risks. Monitoring frequency should reflect model materiality and market conditions. For AI models, this includes drift detection and fairness metrics.[1]
2. Model Validation
Validation is the cornerstone of SR 11-7 compliance. The guidance defines validation as:
"A set of processes and activities intended to verify that models are performing as expected, in line with their design objectives and business uses... Effective validation requires evaluating conceptual soundness, ongoing monitoring, and outcomes analysis."[1]
Critically, validation must be performed by a qualified party independent of model development. This ensures objective challenge and prevents developers from validating their own work.[1]
3. Governance, Policies, and Controls
Senior management and the board of directors bear ultimate responsibility for model risk. SR 11-7 requires:
- Board oversight — Understanding the nature and extent of model risk exposure
- Senior management accountability — Establishing the MRM framework and ensuring compliance
- Policies and procedures — Documented standards for model development, validation, and use
- Model inventory — Comprehensive catalog of all models in use
- Contingency plans — Procedures for model failure or performance degradation[1]
Model Validation: Effective Challenge
The concept of "effective challenge" is central to SR 11-7 validation requirements. Validators must critically and independently assess models, not simply confirm that developers followed procedures.
Three Components of Validation
Conceptual Soundness
Assess whether the model design is appropriate for its intended purpose. Review the theoretical basis, modeling assumptions, mathematical structure, and choice of inputs. For AI models, evaluate whether the algorithm type suits the problem and whether training data is representative.[1]
Ongoing Monitoring
Continuously evaluate model performance against benchmarks and key metrics. Monitor for degradation, detect data drift, and assess whether model relationships remain stable. Establish triggers for when models require recalibration or redevelopment.[1]
Outcomes Analysis
Compare model outputs to actual outcomes. Conduct backtesting to assess predictive accuracy. Analyze outliers, exceptions, and overrides. Determine whether models perform as expected in real-world conditions and whether business decisions based on model outputs are sound.[1]
Independence Requirements
SR 11-7 emphasizes that validation must be conducted by "a qualified party who is independent of the development process." This creates a fundamental organizational challenge: banks must build separate validation teams with expertise equal to or exceeding that of model developers.[1]
The guidance recognizes several acceptable independence structures:
- Internal validation team — A separate unit within the bank that reports independently of business lines
- Third-party validators — External consultants or specialized firms providing validation services
- Hybrid approach — Internal teams validate most models; external experts validate the most complex or material models
What matters is that validators have no reporting relationship to model developers, no financial stake in model approval, and sufficient stature to challenge senior business unit leaders if necessary.[1]
Validation Frequency
SR 11-7 does not mandate specific validation intervals, instead requiring that frequency reflect model risk. Factors determining validation timing include:
- Materiality of model's business impact
- Model complexity and uncertainty
- Changes in market conditions or business environment
- Observed performance degradation[1]
In practice, most banks validate high-risk models annually, medium-risk models every 18-24 months, and low-risk models every 2-3 years. However, AI models often require more frequent validation due to drift and changing data distributions.[7]
Model Inventory & Documentation
A comprehensive model inventory is foundational to SR 11-7 compliance. Regulators consistently cite incomplete inventories as a top examination finding—particularly the failure to identify "shadow AI" deployed by business units without formal approval.[2]
Inventory Requirements
The model inventory should capture all quantitative systems meeting the SR 11-7 definition, regardless of whether they were formally designated as "models" at implementation. At minimum, the inventory must include:
Model Inventory Data Elements
| Element | Description |
|---|---|
| Model Name / ID | Unique identifier and descriptive name |
| Business Purpose | Intended use; business decisions supported |
| Model Type | Algorithm/methodology (e.g., neural network, LLM, regression) |
| Risk Tier | Classification (high/medium/low) based on materiality |
| Owner | Business unit and individual responsible for model use |
| Developer | Internal team or third-party vendor |
| Validation Status | Date of last validation; next validation due |
| Documentation | Links to model documentation, validation reports, approvals |
Documentation Standards
SR 11-7 requires comprehensive documentation that enables independent validators to understand and assess models without relying on developer explanations. Required documentation includes:
- Model development documentation — Detailed description of model theory, assumptions, data sources, variable selection, and mathematical specifications
- Testing and performance results — Evidence of pre-implementation testing, sensitivity analysis, benchmarking, and limitations analysis
- Validation reports — Independent assessment of conceptual soundness, performance monitoring results, and outcomes analysis findings
- Ongoing monitoring documentation — Performance tracking metrics, exception reports, and evidence of corrective actions
- Change logs — Version control records documenting all model modifications, recalibrations, and updates[1]
For AI systems, documentation should additionally address training data provenance, feature engineering decisions, hyperparameter tuning, and explainability analysis.
Three Lines of Defense
SR 11-7 embeds a three-lines-of-defense framework to ensure independent oversight of model risk:
First Line: Model Developers and Owners
Business units and model development teams are responsible for building sound models, conducting initial testing, documenting assumptions, and monitoring performance. They own the risk and must ensure models operate within approved parameters. First-line teams typically include data scientists, quantitative analysts, and business stakeholders who use model outputs.[1]
Second Line: Independent Model Validation
The model validation function provides independent assessment and effective challenge. Validators must have expertise, authority, and resources equivalent to developers. They assess conceptual soundness, verify testing rigor, review performance monitoring, and escalate identified weaknesses to senior management and the board. This function is often called Model Risk Management (MRM).[1]
Third Line: Internal Audit
Internal audit reviews the effectiveness of the overall model risk management framework. Auditors assess whether governance policies are followed, whether validation is truly independent, whether identified issues are remediated, and whether the board receives accurate reporting. Audit provides assurance to the board and regulators that the MRM framework functions as designed.[1]
This structure prevents any single group from having unchecked authority over model development and deployment. Regulators expect clear separation between these functions—developers cannot validate their own models, and validators cannot be subordinate to business units whose models they assess.[1]
Governance & Oversight
SR 11-7 places ultimate accountability for model risk with senior management and the board of directors. The guidance explicitly states that model risk, like other risks, must be managed through appropriate governance structures.[1]
Board Responsibilities
The board is responsible for:
- Approving model risk appetite — Establishing tolerance for model-related losses and performance degradation
- Ensuring adequate resources — Allocating budget and staff for validation, monitoring, and governance functions
- Receiving regular reporting — Understanding model inventory, validation findings, incidents, and risk trends
- Approving MRM policies — Reviewing and approving the model risk management framework[1]
Senior Management Responsibilities
Senior management is tasked with implementing the board's directives:
- Establishing MRM framework — Developing policies, standards, and procedures for model development, validation, and use
- Building validation capability — Hiring qualified validators; providing training and tools
- Maintaining model inventory — Ensuring all models are identified, cataloged, and risk-tiered
- Remediating issues — Tracking validation findings and ensuring timely corrective action[1]
Model Risk Committee
Many banks establish a Model Risk Management Committee to oversee governance. The committee typically includes:
- Chief Risk Officer (chair)
- Head of Model Validation
- Business unit representatives
- Chief Data Officer or Chief Analytics Officer
- Compliance and Internal Audit (observers)[7]
The committee reviews model inventory, approves high-risk models for production, tracks validation findings, and escalates material issues to the board risk committee.
AI-Specific Considerations
While SR 11-7 applies to AI systems, several aspects of modern AI create unique validation challenges that require specialized approaches.
1. Explainability and Interpretability
Traditional models use interpretable coefficients. Neural networks and large language models operate as black boxes where decision paths are opaque. Validators must assess:
- Can the model provide explanations for individual predictions?
- Are explanations accurate reflections of model logic?
- Can business users understand and trust model outputs?[8]
Techniques like SHAP values, LIME, and attention visualization help but don't fully solve the explainability gap for complex models.
2. Model Drift and Continuous Learning
Traditional models remain static until manually recalibrated. AI models can drift as data distributions change, or—in the case of continuous learning systems—update parameters automatically without human intervention.
Validators must monitor:
- Data drift — Has the distribution of input features changed?
- Concept drift — Have relationships between inputs and outputs shifted?
- Performance degradation — Are accuracy metrics declining over time?[9]
Banks should establish automated drift detection with thresholds that trigger model review or recalibration when exceeded.
3. Bias and Fairness
AI models trained on historical data can perpetuate or amplify societal biases. For credit underwriting, hiring, or fraud detection models, biased outcomes create regulatory, reputational, and legal risk.
SR 11-7 validation should include:
- Disparate impact testing — Do model predictions differ systematically across protected classes?
- Fairness metrics — Assess demographic parity, equalized odds, or predictive parity
- Adverse action analysis — Ensure legally compliant explanations for denials or adverse decisions[10]
4. Third-Party and Vendor Models
Banks increasingly rely on third-party AI providers—OpenAI APIs, fraud detection SaaS platforms, credit scoring vendors. These models present validation challenges:
Vendor Model Challenge
How do you validate a model when the vendor won't disclose training data, model architecture, or source code? SR 11-7 holds banks accountable for all models used in business decisions, regardless of whether they were developed internally or procured from vendors.[1]
Acceptable validation approaches for vendor models include:
- Benchmarking vendor model outputs against alternative models or expert judgment
- Outcomes analysis comparing vendor predictions to actual results
- Sensitivity testing using edge cases and adversarial inputs
- Third-party validation reports provided by the vendor[11]
5. Hallucinations and Output Reliability
Large language models produce plausible but factually incorrect outputs—"hallucinations." For use cases like regulatory compliance, customer communications, or loan documentation, hallucinations create material risk.
Validators should assess:
- Hallucination rates across different prompt types
- Controls to detect and prevent hallucinated outputs from reaching customers
- Human review workflows for high-stakes outputs[12]
Common Examination Findings
Regulatory examinations consistently identify similar SR 11-7 deficiencies across institutions. Understanding common findings helps banks prioritize remediation efforts.
Incomplete Model Inventory
Examiners frequently find models operating in production that don't appear in the official inventory. This is especially common with AI systems deployed by business units without IT or risk involvement—so-called "shadow AI." Regulators expect proactive discovery processes, not reliance on self-reporting.[2]
Insufficient Validation Documentation
Validation reports lack depth or fail to demonstrate effective challenge. Common issues include validators simply confirming that developers followed procedures rather than independently assessing model appropriateness, or validation reports that omit conceptual soundness review for AI models deemed too complex to evaluate.[2]
Weak Ongoing Monitoring
Models are validated at implementation but not continuously monitored thereafter. Performance metrics aren't tracked, drift isn't detected, and models remain in production years after their assumptions became obsolete. This finding is particularly acute for AI models where data distributions change rapidly.[2]
Inadequate Third-Party Model Oversight
Banks assume vendor-provided models are inherently valid and perform no independent assessment. Examiners find vendor model cards accepted without verification, no benchmarking against alternative approaches, and no outcomes analysis to confirm vendor claims.[13]
Lack of Independence
Model validators report to business units whose models they assess, creating conflicts of interest. Or validation teams lack sufficient expertise to challenge complex AI models, resulting in superficial reviews that rubber-stamp developer conclusions.[2]
Failure to Remediate Findings
Validation identifies issues but corrective actions aren't implemented. Issue tracking systems show validation findings open for years without resolution, models remain in production despite known deficiencies, and management lacks accountability for remediation.[2]
Enforcement Examples
Regulators have taken enforcement action against banks for SR 11-7 deficiencies, particularly in cases where model risk management failures contributed to financial losses:
Wells Fargo (2016): The Federal Reserve and OCC issued enforcement actions citing, among other issues, deficient model risk management practices. Wells Fargo was required to enhance its MRM framework, improve validation processes, and ensure adequate resources for the model risk function.[3]
HSBC (2013): HSBC entered into consent orders with the OCC requiring comprehensive MRM enhancements following findings of inadequate anti-money laundering controls, including weaknesses in AML transaction monitoring models.[14]
While these actions predate the AI era, they establish regulatory expectations: model risk management is not optional, and deficiencies have consequences.
Implementation Roadmap
Building SR 11-7 compliant model risk management for AI systems requires a phased approach balancing regulatory requirements with operational reality.
SR 11-7 Implementation Roadmap
Phase 1: Model Discovery & Inventory (Months 1-2)
Identify all models in scope—both formally approved and shadow AI. Use automated discovery tools to scan production environments for ML endpoints, API integrations, and statistical processes. Build a comprehensive inventory with risk tiers. Don't rely on self-reporting; proactively hunt for undocumented models.
Deliverable: Complete model inventory with risk classification
Phase 2: Governance Framework (Months 2-3)
Establish MRM policies, procedures, and governance structures. Define roles and responsibilities across the three lines of defense. Create a Model Risk Committee charter. Develop model development standards and validation templates tailored for AI systems. Secure board approval of the MRM framework.
Deliverable: Board-approved MRM policy and governance charter
Phase 3: Build Validation Capability (Months 3-6)
Hire or train independent validators with AI/ML expertise. Establish reporting lines ensuring independence from model developers. Develop validation methodologies for neural networks, LLMs, and vendor models. Procure validation tools for bias testing, drift detection, and explainability analysis. Validate highest-risk models first.
Deliverable: Independent validation team with documented methodologies
Phase 4: Implement Monitoring & Evidence (Months 4-9)
Deploy continuous monitoring for production AI models. Establish drift detection, performance tracking, and bias monitoring. Implement evidence generation infrastructure that produces cryptographic proof of control execution—not just logs that can be altered. Build dashboards showing validation status, findings, and remediation progress.
Deliverable: Automated monitoring with verifiable evidence trails
Phase 5: Validation Backlog & Remediation (Months 6-12)
Complete initial validation of all high-risk models. Document findings and track remediation. For medium and low-risk models, establish validation schedules. Ensure all models have validation reports no more than 12-18 months old. Address examiner findings proactively before the next regulatory exam.
Deliverable: Current validation reports for all material models
Phase 6: Continuous Improvement (Ongoing)
Mature the MRM program through annual policy reviews, validator training, and methodology enhancements. Track industry best practices for AI validation. Prepare for regulatory exams with mock examinations and pre-exam self-assessments. Leverage evidence infrastructure to demonstrate control effectiveness to examiners.
Deliverable: Exam-ready MRM program with audit-quality evidence
Critical success factor: Don't treat SR 11-7 as a documentation exercise. Regulators expect effective challenge—validators who genuinely assess whether AI models are fit for purpose, not compliance theater. Build evidence that controls executed, not just policies that describe them.
Resource Requirements
Building SR 11-7 compliant MRM for AI requires significant investment:
Typical MRM Staffing (Mid-Sized Bank)
| Role | Headcount | Responsibilities |
|---|---|---|
| Head of Model Risk | 1 | Framework oversight; board/committee reporting |
| Senior Validators | 3-5 | Validate high-risk AI models; conceptual soundness |
| Model Validators | 5-10 | Ongoing monitoring; outcomes analysis; reporting |
| Model Inventory Analyst | 1-2 | Maintain inventory; coordinate validations |
| Data Scientists (AI Validation) | 2-4 | Specialized AI/ML validation; bias testing; drift monitoring |
Larger institutions may have validation teams of 50+ FTEs. Community banks often outsource validation to third-party consultants due to resource constraints.[7]
Frequently Asked Questions
Does SR 11-7 apply to non-bank entities?
SR 11-7 directly applies only to Federal Reserve-supervised institutions. However, OCC Bulletin 2011-12 extends the same requirements to national banks, and many state regulators have adopted similar expectations. Non-bank AI companies aren't subject to SR 11-7, but banks that use their models are—creating indirect compliance pressure on vendors.
How do I validate a vendor AI model when they won't share source code?
Acceptable approaches include benchmarking (comparing vendor outputs to alternative models), outcomes analysis (testing vendor predictions against actual results), adversarial testing (edge cases and unusual inputs), and third-party validation reports. You can also negotiate contractual terms requiring vendors to provide validation evidence or allow independent auditors to assess their models.[11]
What happens if we fail to comply with SR 11-7?
Regulatory consequences range from informal supervisory findings requiring remediation plans, to formal enforcement actions (cease and desist orders, civil money penalties), to growth restrictions preventing new business activities. Wells Fargo and HSBC faced enforcement actions partially related to MRM deficiencies, demonstrating regulators take these requirements seriously.[3][14]
Can model developers also perform validation?
No. SR 11-7 requires validation by "a qualified party who is independent of the development process." Developers can perform initial testing and sensitivity analysis, but independent validators must conduct formal validation. This separation ensures objective challenge and prevents conflicts of interest.[1]
How often must AI models be revalidated?
SR 11-7 doesn't mandate specific intervals, requiring instead that frequency reflect model risk. Most banks validate high-risk models annually, medium-risk models every 18-24 months, and low-risk models every 2-3 years. However, AI models may require more frequent validation due to drift, or continuous monitoring that serves as ongoing validation.[1][7]
References
- [1] Board of Governors of the Federal Reserve System. "SR 11-7: Guidance on Model Risk Management." April 4, 2011. federalreserve.gov/supervisionreg/srletters/sr1107.htm
- [2] Federal Reserve Bank of New York. "Common Model Risk Management Examination Findings." Supervisory Letter, 2023.
- [3] Federal Reserve Board. "Federal Reserve Board announces enforcement actions with Wells Fargo." September 2016. federalreserve.gov/newsevents/pressreleases/enforcement20160908a.htm
- [4] Office of the Comptroller of the Currency. "OCC Bulletin 2011-12: Supervisory Guidance on Model Risk Management." April 4, 2011. occ.gov/news-issuances/bulletins/2011/bulletin-2011-12.html
- [5] Federal Reserve Board. "Interagency Guidance on Third-Party Relationships: Risk Management." June 2023; Federal Reserve statements on AI/ML model supervision, 2024.
- [6] Federal Reserve. "Effective Challenge in Model Validation." Supervisory expectations guidance, 2012-2024.
- [7] Deloitte. "Model Risk Management for AI: Banking Industry Practices." 2024. deloitte.com
- [8] NIST. "Four Principles of Explainable AI." NIST AI 100-1, 2021. nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8312.pdf
- [9] Google Research. "Monitoring Machine Learning Models in Production." 2023; Amazon SageMaker Model Monitor documentation.
- [10] Consumer Financial Protection Bureau. "CFPB Acts to Protect the Public from Black-Box Credit Models." May 2022. consumerfinance.gov
- [11] Federal Reserve. "Supervisory Guidance on Model Risk Management: Applicability to Vendor Models." SR 11-7 supplemental guidance, 2013.
- [12] Stanford HAI. "AI Hallucinations: Causes, Measurement, and Mitigation." AI Index Report 2025. hai.stanford.edu
- [13] Office of the Comptroller of the Currency. "Third-Party Model Risk Management Expectations." OCC examiner guidance, 2020-2024.
- [14] Office of the Comptroller of the Currency. "OCC Consent Orders with HSBC Bank USA." 2013. occ.gov/news-issuances/news-releases/2013/nr-occ-2013-24.html