OCC Bulletin 2026-13: The New Interagency Standard for Model Risk Management

Reference: Bulletin 2026-13

Official publication: Read the full Bulletin 2026-13 on the agency website

On April 17, 2026, the Office of the Comptroller of the Currency (OCC), acting in coordination with the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation (FDIC), released Bulletin 2026-13. This issuance marks a significant evolution in regulatory expectations for how financial institutions identify, measure, and mitigate the risks associated with quantitative models. By rescinding prior guidance and introducing a consolidated interagency framework, the regulators are signaling a shift toward a more nuanced, risk-based approach that acknowledges the increasing sophistication of financial modeling while demanding higher levels of governance and internal challenge.

Executive Summary

• Risk-Based Framework Adoption: The guidance moves away from a one-size-fits-all approach, requiring institutions to tailor their model risk management (MRM) intensity to the complexity and materiality of the specific models in use.
• Rescission of Legacy Guidance: Bulletin 2026-13 formally rescinds older, fragmented issuances, creating a single, cohesive standard across the OCC, FDIC, and Federal Reserve.
• Emphasis on Effective Challenge: A core pillar of the new guidance is the requirement for a robust “effective challenge” during the model validation process, conducted by parties independent of model development and use.
• Expanded Governance Expectations: The agencies have clarified the responsibilities of boards of directors and senior management, emphasizing that model risk is a distinct category of risk requiring dedicated oversight.
• Focus on Model Lifecycles: The revised guidance details expectations across the entire lifecycle of a model, from initial development and data acquisition to implementation, ongoing monitoring, and eventual retirement.

What the Regulator Issued

The OCC Bulletin 2026-13, titled “Model Risk Management: Revised Guidance,” is a joint effort by the primary federal banking regulators to modernize the supervisory framework for models. According to the official summary, the agencies are issuing this updated guidance “to clarify model risk management principles, to set forth a risk-based approach to model risk management, and to rescind prior model risk management guidance and other issuances.”

The guidance addresses the fundamental definition of a model, which remains focused on quantitative methods, systems, or approaches that apply statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates. However, the revised text places a heavier emphasis on the application of these models in decision-making processes. The agencies note that as models become more integrated into critical banking functions—ranging from credit underwriting and capital adequacy to fraud detection and stress testing—the potential for systemic failure due to model error increases. Consequently, the guidance reinforces the need for rigorous documentation and validation protocols that are commensurate with the risk the model poses to the institution.

Who Is Impacted

The scope of Bulletin 2026-13 is broad, encompassing all national banks, federal savings associations, and federal branches and agencies of foreign banking organizations supervised by the OCC. Furthermore, because this is interagency guidance, it effectively applies to all state member banks (supervised by the Federal Reserve) and state non-member banks (supervised by the FDIC).

While the principles of model risk management apply to all institutions, the application of the guidance will vary based on the institution’s size, complexity, and risk profile. Large, systemically important financial institutions (SIFIs) will likely face the highest level of scrutiny, particularly regarding their use of complex algorithms for capital planning and market risk. Community banks, while still required to maintain an inventory of models and perform basic validations, are expected to benefit from the “risk-based” clarification, allowing them to focus resources on the models that most directly impact their safety and soundness, such as allowance for credit loss (ACL) models or interest rate risk tools.

Key Dates and Deadlines

The bulletin was published on April 17, 2026. The rescission of prior model risk management guidance is effective immediately. While the release does not specify a future “compliance date” for new requirements, the agencies generally expect institutions to begin aligning their MRM frameworks with the revised principles during their next internal audit or model validation cycle. Regulatory examiners are expected to begin incorporating these revised standards into their examination modules in the coming quarters.

Practical Action Checklist

1. Update Model Inventory: Conduct a comprehensive review of all quantitative tools currently in use to ensure the model inventory is complete and categorized according to the updated risk-based definitions.
2. Review Rescinded Guidance: Identify any internal policies or procedures that specifically cite the now-rescinded OCC 2011-12 or SR 11-7 and update them to reference Bulletin 2026-13.
3. Assess Validation Independence: Review the “effective challenge” protocols to ensure that individuals or departments performing validations are sufficiently independent from the developers and have the technical authority to reject a model.
4. Enhance Data Quality Controls: Document the lineage and quality of data inputs used in high-risk models, as the guidance emphasizes that model output is only as reliable as the underlying data.
5. Formalize Model Retirement: Establish clear criteria and documentation requirements for when a model is retired or replaced, ensuring that legacy risks are not carried forward into new systems.
6. Board and Management Training: Conduct briefing sessions for the board of directors and senior risk officers on their expanded roles in model governance and the shift toward risk-based oversight.
7. Evaluate Third-Party Models: Apply the same level of rigor to models purchased from vendors as to those developed in-house, including requesting independent validation reports from the vendor.
8. Audit Model Documentation: Ensure that every model in the inventory has up-to-date documentation covering its theoretical basis, implementation logic, and known limitations.
9. Refine Risk Categorization: Develop a tiered system for models (e.g., High, Medium, Low risk) that dictates the frequency and depth of required validation activities.
10. Test for Model Sensitivity: Implement regular sensitivity analysis and stress testing of model parameters to understand how changes in market conditions affect output reliability.
11. Monitor Ongoing Performance: Establish automated triggers for re-validation if a model’s performance deviates from expected historical norms.
12. Document Exception Handling: Create a formal process for documenting and approving instances where a model is used despite known limitations or failed validation components.

Open Questions / Watch Items

One primary area for monitoring is how the “risk-based approach” will be interpreted by individual examiners. There is a inherent tension between providing flexibility and maintaining a clear supervisory standard; institutions should watch for supplemental examination manuals that may offer more granular examples of what constitutes “sufficient validation” for specific model tiers. Additionally, the guidance does not explicitly resolve how institutions should handle models that incorporate non-traditional data sources or highly complex, non-linear algorithms that are difficult to “explain” in traditional validation terms.

Another item to monitor is the alignment between the agencies on the treatment of “shadow models”—spreadsheets or tools used for decision-making that may not have been historically captured in the formal MRM inventory. The revised guidance suggests a stricter eye on these tools, potentially increasing the compliance burden for departments like human resources or marketing if they utilize quantitative scoring systems. Finally, the industry should look for feedback from upcoming examinations to see if the agencies will prioritize certain model types, such as those used for environmental risk assessment or liquidity management, in the first wave of implementation reviews.

This memorandum was published by My Law Tampa as a resource for the legal and compliance community. We provide these updates to assist institutions in navigating the complex and often overlapping requirements of federal financial regulators.

The information provided in this memo is for general informational purposes only and does not constitute legal advice. No attorney-client relationship is created by the publication or receipt of this document. Institutions should consult with qualified legal counsel regarding the specific application of OCC Bulletin 2026-13 to their unique operational profiles.

Source Materials

• Official publication: Bulletin 2026-13
• Regulator archive: OCC memo archive
• Memo library: browse the full regulatory memo archive
• Related memo: OCC Proposes New AML/CFT Program Requirements: A Strategic Shift for National Banks
• Related memo: OCC and FDIC Codify Prohibition on Reputation Risk in Supervisory Actions
• Related memo: OCC Rescinds Recovery Planning Guidelines for Certain Large Banks