Dieser Artikel ist derzeit auf Englisch verfügbar.
AI Governance in US Financial Services: Fed SR 11-7, OCC, CFPB, and the Emerging Federal Framework
US financial institutions navigate AI governance through model risk management guidance, federal agency enforcement actions, and a rapidly developing state and federal legislative landscape. The 2026 compliance map for US banks, insurers, and fintechs.
Key Takeaways
SR 11-7 (Model Risk Management) is the foundational US banking AI governance framework — while written for traditional models, regulators have confirmed it applies to ML and AI models, and examination programs are testing compliance.
The CFPB has been the most active federal AI enforcement agency — its actions against algorithmic credit decisions, AI-generated adverse action notices, and discriminatory lending AI establish clear enforcement expectations.
The OCC, FDIC, and Federal Reserve have issued joint guidance on AI risk management that goes beyond SR 11-7 to address the specific characteristics of ML models — explainability, fairness testing, and third-party AI vendor oversight.
State insurance regulators have led on AI fairness in insurance — NAIC's model bulletin on AI in insurance has been adopted by multiple states and creates specific algorithmic fairness requirements for insurance AI.
The US AI regulatory landscape is still developing rapidly — the Executive Order on AI (October 2023) and subsequent agency guidance have established federal expectations, but comprehensive federal AI legislation has not yet passed.
"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."
SR 11-7, SR 26-2, and model risk management
The Federal Reserve's Supervisory Guidance on Model Risk Management (SR 11-7), issued in 2011, established the foundational framework for model governance in US banking. SR 11-7 was superseded on 17 April 2026 by SR 26-2 (Revised Guidance on Model Risk Management), issued jointly by the Federal Reserve, OCC, and FDIC. The core principles — model validation, independent review, documentation, performance monitoring, and model inventory — remain intact in the revised guidance, with expanded expectations for AI and machine learning models. While SR 11-7 predates modern machine learning, regulators have consistently confirmed that its principles apply to ML and AI models. The core requirements — model validation, independent review, documentation, performance monitoring, and model inventory — apply to AI systems used in credit underwriting, fraud detection, trading, and other regulated activities.
The practical challenge of applying SR 11-7 to modern AI is the explainability gap: the guidance requires model validators to understand how a model works in sufficient detail to challenge its assumptions and evaluate its performance. Traditional statistical models are fully interpretable — the relationship between inputs and outputs can be precisely described. Gradient boosted ensembles, neural networks, and large language models cannot be understood in the same way. Regulators have not resolved this tension — they expect SR 11-7 compliance while acknowledging that traditional validation methodologies do not straightforwardly apply to complex AI models. The emerging practice is to combine traditional performance testing with explainability techniques (SHAP values, LIME) and specific fairness testing as a partial substitute for full interpretability.
CFPB enforcement: the practical AI compliance standard
The Consumer Financial Protection Bureau has been the most active federal enforcement agency on AI in financial services, and its enforcement actions establish the practical compliance standard more clearly than any guidance document. Three enforcement themes dominate the CFPB's AI record. First, algorithmic adverse action notices: the CFPB has found that automated credit denials must include specific principal reasons that are genuinely informative — reference to an algorithm or a risk score does not satisfy the Equal Credit Opportunity Act's adverse action requirements. Second, discriminatory lending AI: the CFPB has pursued lenders whose AI credit models produced discriminatory disparate impacts on protected groups, establishing that ECOA applies fully to algorithmic lending decisions. Third, AI-generated customer communications: the Bureau has taken action against financial institutions whose AI-generated communications were misleading or unfair under the Consumer Financial Protection Act.