AI Governance in US Financial Services: Fed SR 11-7, OCC, CFPB, and the Emerging Federal Framework

SR 11-7, SR 26-2, and model risk management

The Federal Reserve's Supervisory Guidance on Model Risk Management (SR 11-7), issued in 2011, established the foundational framework for model governance in US banking. SR 11-7 was superseded on 17 April 2026 by SR 26-2 (Revised Guidance on Model Risk Management), issued jointly by the Federal Reserve, OCC, and FDIC. The core principles — model validation, independent review, documentation, performance monitoring, and model inventory — remain intact in the revised guidance, with expanded expectations for AI and machine learning models. While SR 11-7 predates modern machine learning, regulators have consistently confirmed that its principles apply to ML and AI models. The core requirements — model validation, independent review, documentation, performance monitoring, and model inventory — apply to AI systems used in credit underwriting, fraud detection, trading, and other regulated activities.

The practical challenge of applying SR 11-7 to modern AI is the explainability gap: the guidance requires model validators to understand how a model works in sufficient detail to challenge its assumptions and evaluate its performance. Traditional statistical models are fully interpretable — the relationship between inputs and outputs can be precisely described. Gradient boosted ensembles, neural networks, and large language models cannot be understood in the same way. Regulators have not resolved this tension — they expect SR 11-7 compliance while acknowledging that traditional validation methodologies do not straightforwardly apply to complex AI models. The emerging practice is to combine traditional performance testing with explainability techniques (SHAP values, LIME) and specific fairness testing as a partial substitute for full interpretability.

CFPB enforcement: the practical AI compliance standard

The Consumer Financial Protection Bureau has been the most active federal enforcement agency on AI in financial services, and its enforcement actions establish the practical compliance standard more clearly than any guidance document. Three enforcement themes dominate the CFPB's AI record. First, algorithmic adverse action notices: the CFPB has found that automated credit denials must include specific principal reasons that are genuinely informative — reference to an algorithm or a risk score does not satisfy the Equal Credit Opportunity Act's adverse action requirements. Second, discriminatory lending AI: the CFPB has pursued lenders whose AI credit models produced discriminatory disparate impacts on protected groups, establishing that ECOA applies fully to algorithmic lending decisions. Third, AI-generated customer communications: the Bureau has taken action against financial institutions whose AI-generated communications were misleading or unfair under the Consumer Financial Protection Act.