Office of the Comptroller of the Currency updates model risk management guidance for OCC-supervised institutions and rescinds prior issuances

The Office of the Comptroller of the Currency (OCC), in coordination with the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation, issued updated model risk management guidance for OCC-supervised institutions. The guidance clarifies that model risk management should be risk-based and tailored to a banking organization’s size, complexity, and extent of model use, and it is non-prescriptive and not enforceable, with the OCC stating that non-compliance will not result in supervisory criticism. The revised guidance sets out principles covering factors that influence model risk and the features of effective model development and use, model validation and monitoring, and governance and controls. It also addresses considerations for vendor and other third-party products, including their validation. The OCC expects the guidance to be most relevant to banking organizations with over USD 30 billion in total assets, while noting it may also be relevant to smaller institutions with significant model risk exposure; generative AI and agentic AI models are explicitly out of scope. As part of the update, the OCC rescinded OCC Bulletin 2011-12 on model risk management, OCC Bulletin 2021-19 on model risk management for systems supporting Bank Secrecy Act and anti-money laundering compliance, OCC Bulletin 1997-24 on credit scoring models (including its appendix), and the Comptroller’s Handbook “Model Risk Management” booklet. The OCC, Federal Reserve Board, and FDIC plan to issue a request for information in the near future covering model risk management generally and banks’ use of AI, including generative AI, agentic AI, and AI-based models.