Banks Brace for New Model Risk Rules

The days of treating model risk management as a checkbox exercise are over. On April 17, 2026, federal regulators including the Federal Reserve, FDIC, and OCC overhauled existing guidance, replacing SR 11-7 and related issuances with a framework that demands a more integrated and risk-sensitive approach. This isn't just a technical update; it signals that regulators view models as core to banking operations, requiring oversight akin to credit or market risk.

The Shift to Principles and Risk-Based Tailoring

The new Model Risk Management framework demands that banks tier their model inventory by materiality, applying controls proportionally. Lower-tier models face lighter oversight, but only if the tiering itself is auditable. This requires a unified lifecycle view, encompassing development, validation, deployment, monitoring, and retirement, with clear lineage across each stage.

Effective challenge, a cornerstone of robust risk management, now necessitates versioned and reproducible challenger models, outcome analysis, and sensitivity testing. Continuous monitoring for performance and data drift, with thresholds tied to materiality, is also paramount.

GenAI and Agentic Systems Under the MRM Umbrella

Crucially, the guidance extends its principles to Generative AI and agentic systems. Regulators are already scrutinizing LLM-based underwriting assistants, AML triage agents, and customer-facing copilots, treating them as within scope by analogy. The core requirement remains consistent: evidence of good governance must be an automatic byproduct of how these models are built and managed, not a post-hoc reconstruction.

This necessitates a platform decision that treats future guidance changes as configuration updates, not multi-quarter programs. Banks must move beyond fragmented point solutions and adopt a unified substrate for managing both classical ML and GenAI.

Databricks' Reference Architecture for MRM

Databricks proposes a reference architecture designed to meet these evolving expectations. It centers on Unity Catalog for governance, enabling an end-to-end lineage graph and a single source of truth for model inventory, ownership, and access. This architecture maps the entire ML lifecycle management onto concrete capabilities, ensuring that evidence of governance is generated organically.

Key governance patterns include materiality tiering as metadata, allowing for rapid updates without re-platforming. Proportionality is enforced through Attribute-Based Access Control (ABAC) tied to tier tags, directly embedding controls into the platform.

For instance, Tier-1 models require explicit MRM validator approval for production promotion, enforcing dual control. Lighter oversight applies to lower tiers, with access logs providing the audit trail. This approach streamlines compliance and reduces the burden of regulatory compliance for AI models.

The platform supports mapping each lifecycle stage to expected MRM evidence, from data sourcing and feature engineering to model development, validation, deployment, monitoring, and retirement. This ensures that documentation, monitoring, and validation are intrinsically linked to the production model version.

Ultimately, the new guidance pushes banks towards a more integrated, platform-centric approach to model risk management. The ability to demonstrate comprehensive governance across the entire model lifecycle, for both traditional and advanced AI systems, is no longer optional.