AI Model Risk Management: Fed/OCC SR 11-7, SR 21-8 MRM Update, EBA ML Guidelines & CCAR
Model risk management (MRM) — the practice of identifying, assessing, and managing the risks that arise from using quantitative models in financial decision-making — has become the central compliance framework for AI governance in financial services. The Federal Reserve's SR 11-7 guidance (2011), supplemented by SR 21-8 (2021) which addressed updates to MRM practices, establishes the US standard for model risk management that regulators apply to all AI and ML models used in banking. The EBA's 2021 ML guidelines extend comparable standards to EU banks.
Federal Reserve SR 11-7 and SR 21-8 — Model Risk Management
SR 11-7: Issued April 4, 2011 — Guidance on Model Risk Management; applies to all quantitative models used by Federal Reserve-supervised institutions
SR 21-8: Issued June 2021 — updates to MRM practices addressing technological advances including AI/ML
Model definition: SR 11-7 defines a model as a quantitative method that applies statistical, economic, financial, or mathematical theories — AI and ML clearly qualify
Three pillars: Model development/implementation; model validation (independent); model governance/oversight
AI-specific challenge: SR 11-7 documentation requirements — describing model inputs, processing, and outputs in enough detail to allow replication — are difficult to satisfy for neural networks and other non-interpretable AI architectures
Source: SR 11-7 — federalreserve.gov
Regulatory Risks and Compliance Challenges
The EBA's November 2021 Report on Machine Learning for IRB Models established EU-specific MRM standards for AI used in regulatory capital calculations. Key EBA expectations include: ML-specific validation testing covering discrimination, calibration, and stability; enhanced data quality requirements for ML training data; documentation of feature importance and model interpretability; and governance for ML model retraining and updates. The EBA's standards are more demanding than SR 11-7 in specific respects — particularly around interpretability requirements for regulatory capital models.
CCAR and DFAST stress testing models present a specific MRM challenge because the models used in regulatory capital planning must be both accurate and explainable to Federal Reserve examiners. Neural network models that produce highly accurate loss estimates but cannot explain individual predictions do not satisfy SR 11-7's documentation requirements in the CCAR context. Banks are increasingly using hybrid approaches — combining ML accuracy with interpretable model architectures or post-hoc explanation methods — to satisfy both performance and documentation requirements.
Claire's AI Compliance Solution
Claire Platform Capabilities
SR 11-7/SR 21-8 Model Documentation Automation
Claire automates the production of SR 11-7-compliant model documentation for AI systems — capturing model purpose, training data lineage, architecture description, validation results, and performance monitoring history in the standardized format that Federal Reserve and OCC examiners expect.
Independent Model Validation Framework
Claire's validation module provides the independent validation infrastructure that SR 11-7 requires — running AI-specific validation tests including discrimination, calibration, stability, and sensitivity analysis, with results documented in examination-ready validation reports.
MRM Program Coverage Assessment
Claire assesses existing MRM program coverage against the full AI/ML model inventory — identifying models that have not been brought under SR 11-7 governance and prioritizing remediation based on model materiality and examination risk.
Compliance Checklist
AI Regulatory Compliance Requirements
Complete AI model inventory with SR 11-7 risk tiers.
Model documentation meeting SR 11-7 replication standard.
Independent validation for all Tier 1 and Tier 2 models annually.
Ongoing performance monitoring with defined thresholds and triggers.
Model governance escalation and board reporting.
CCAR/DFAST model documentation meeting Federal Reserve examination standards.
EBA ML Guidelines compliance for EU banking operations.
Third-party model vendor due diligence and performance monitoring.
Model change management — validation triggered by material model changes.
Examination-ready documentation accessible within 48 hours.
Frequently Asked Questions
What does SR 11-7 require for AI model documentation?
SR 11-7 requires model documentation adequate to allow a knowledgeable third party to understand the model's purpose, methodology, and outputs — and to replicate the model's results. For AI models, this means: description of training data including source, scope, and quality assessment; model architecture description; feature selection rationale; training methodology; performance testing results; and limitations and appropriate use conditions. Neural network architectures present documentation challenges because their internal representations cannot be fully described.
What is the difference between SR 11-7 and SR 21-8?
SR 11-7 (2011) established the foundational model risk management framework for all quantitative models used by Federal Reserve-supervised institutions. SR 21-8 (2021) supplements SR 11-7 with updates addressing technological advances including machine learning, alternative data, and cloud computing. SR 21-8 emphasizes the need to address model complexity, interpretability, and data governance challenges specific to modern AI architectures — while confirming that SR 11-7's core requirements remain fully applicable to AI models.
How do CCAR models meet SR 11-7 documentation requirements?
CCAR models must meet SR 11-7 documentation standards, which Federal Reserve examiners enforce strictly in horizontal CCAR reviews. For AI CCAR models, documentation must include: complete description of training data covering the time period, data quality, and any gaps; model architecture adequate for a knowledgeable reviewer to understand how the model produces outputs; validation results including backtesting against out-of-sample data; limitations including known failure modes under specific conditions; and evidence of ongoing monitoring.
What EBA standards apply to ML credit risk models?
The EBA's 2021 Report on ML for IRB Models established specific requirements for AI/ML models used in capital calculations: ML-specific discrimination tests (Gini, AUC) with benchmarks calibrated for ML performance ranges; calibration tests under current and stressed conditions; stability tests across time periods and economic regimes; feature importance documentation; and data quality requirements covering representativeness of training data. These requirements supplement the CRR/CRD framework for internal model approval.
How should banks assess model risk for third-party AI?
Third-party AI models used in material risk management or capital calculations must be subject to the same MRM standards as internally developed models. Banks must: obtain documentation of the third-party model's design and testing; conduct independent validation of the third-party model (or review vendor validation documentation critically); monitor the model's ongoing performance using the bank's own data; and maintain the ability to challenge or replace the third-party model if it underperforms. Vendor representations about model quality do not substitute for independent validation.
Related: Finance AI Overview | AI Model Risk Management | Regulatory Compliance