FDIC Revises Interagency Model Risk Management Guidance

Reference: FIL-22-2017

Official publication: Read the full FIL-22-2017 on the agency website

The FDIC’s April 17, 2026 release matters because it updates the interagency framework many banking organizations have treated as the baseline for model governance for more than a decade. The official materials confirm a more expressly risk-based and size-sensitive approach, immediate rescission of prior FDIC model risk guidance, and specific attention to vendor and other third-party products. At the same time, the release is concise, which means institutions will need to make disciplined transition judgments without assuming that every prior practice, committee structure, or validation artifact carries forward unchanged.

Executive Summary

• The FDIC, OCC, and Federal Reserve issued revised interagency model risk management guidance on April 17, 2026, and the FDIC simultaneously rescinded FIL-22-2017 and FIL-27-2021.
• The FDIC states that the release applies to all FDIC-supervised financial institutions, but says the guidance is expected to be most relevant to banking organizations with more than $30 billion in total assets.
• Institutions at or below that asset level should not treat the release as irrelevant on autopilot. The guidance says it may still matter where model risk exposure is significant because of model prevalence, complexity, or activities outside traditional community banking.
• The revised framework is deliberately non-prescriptive. The FDIC says the guidance does not create enforceable standards and that non-compliance with the guidance alone will not produce supervisory criticism.
• The practical effect is not a rote rewrite of every existing model governance document. The more immediate task is to reassess inventory, materiality, validation, monitoring, governance, and vendor-model oversight against the revised principles and identify where legacy practices were built around rescinded guidance rather than current risk.

What the Regulator Issued

On April 17, 2026, the FDIC published FIL-15-2026, Agencies Revise the Interagency Model Risk Management Guidance, together with an attached revised interagency guidance document. The official release states that the FDIC, the Office of the Comptroller of the Currency, and the Board of Governors of the Federal Reserve System jointly issued the revised guidance and that the FDIC rescinded its existing model risk management guidance with that issuance.

The release identifies two rescinded FDIC items: FIL-22-2017, which adopted earlier supervisory guidance on model risk management, and FIL-27-2021, which addressed model risk management for bank models and systems supporting Bank Secrecy Act, anti-money laundering, and Office of Foreign Assets Control compliance. The FDIC also states that the revised guidance is expected to be most relevant to banking organizations with over $30 billion in total assets, while still applying the FIL itself to all FDIC-supervised institutions.

The attached guidance describes a risk-based approach tailored to a banking organization’s model risk profile and the size and complexity of its operations. It addresses model development and use, validation and monitoring, governance and controls, and vendor and other third-party products. The guidance defines a model as a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to transform inputs into quantitative estimates, and it excludes simple arithmetic calculations and deterministic rule-based processes that do not rest on those theories.

Who Is Impacted

The most direct impact falls on FDIC-supervised banking organizations that rely on material models in significant business lines, services, operations, or control functions. The release itself says the revised framework is expected to be most relevant above the $30 billion asset threshold. That is an important supervisory signal, but not a safe harbor for smaller institutions.

The guidance expressly contemplates that banking organizations with $30 billion or less in total assets may still face meaningful relevance where model risk exposure is significant. In practice, that means management teams at smaller institutions should make an affirmative applicability assessment rather than defaulting to the view that the release is only for the largest banks. If a smaller institution uses a concentrated set of models that materially influence credit, capital, liquidity, allowance, pricing, fraud detection, interest rate risk, or other significant decisions, the revised principles may still matter even if the institution’s governance architecture is simpler.

The release also reaches beyond model developers and validation teams. Business-line owners who rely on model output, enterprise risk personnel, compliance teams, internal audit, vendor management, and governance committees all have a stake in this update. The attached guidance repeatedly links model risk management to model purpose, exposure, use, and aggregate dependencies, which means institutions should expect cross-functional accountability rather than treating model governance as a specialist function operating in isolation.

Key Dates and Deadlines

Not specified in the release. The official materials do not announce a future compliance date, phase-in period, or comment deadline.

• April 17, 2026: the FDIC, OCC, and Federal Reserve issued the revised interagency guidance.
• April 17, 2026: the FDIC states that, with issuance of the revised guidance, FIL-22-2017 and FIL-27-2021 are rescinded.
• No separate examiner transition timeline, grandfathering period, or deferred applicability date is identified in the release.

Practical Action Checklist

• Reconfirm the institution’s model inventory and test whether each item falls within the revised guidance’s model definition or should instead be governed under another control framework.
• Re-rank models using the guidance’s risk drivers, including inherent risk, exposure, purpose, use, and aggregate dependencies, rather than relying solely on legacy tiering labels.
• Identify which models support significant business lines, regulatory obligations, or major portfolio decisions, and place those models at the front of the review queue.
• Revise model risk management policy language where necessary so that it reflects a risk-based and materiality-sensitive approach instead of imposing identical procedures on every model.
• Check whether first-use validation, ongoing monitoring, limitation tracking, and remediation escalation are documented for high-materiality models, including any circumstances in which use may occur before validation is complete.
• Assess whether effective challenge is genuinely independent and competent across development, use, validation, and governance, especially where staffing constraints have blurred responsibilities over time.
• Review vendor and other third-party model products separately. Obtain current documentation on conceptual design, development inputs, performance limits, customization settings, and the institution’s ability to validate or monitor outputs despite proprietary constraints.
• Refresh the model inventory so it captures enough information to support both individual-model review and aggregate-risk analysis, including shared data sources, common assumptions, and concentrated dependencies.
• Update board or committee reporting so it shows material models, overdue validations, compensating controls, exception approvals, and vendor-model exposures in a way that permits informed oversight.
• If management concludes that the revised guidance is only partially applicable because of institution size or model profile, memorialize that conclusion in writing and identify the facts that would require reassessment later.

Open Questions / Watch Items

Several issues remain open on the face of the release. First, the agencies state that the guidance is generally most relevant above $30 billion in assets, but they do not provide a bright-line method for deciding when a smaller institution has significant enough model risk exposure to warrant fuller adoption. That leaves room for institution-specific judgment and, potentially, examiner-by-examiner variation.

Second, the release does not spell out how supervisors will evaluate transition from legacy programs built around rescinded FDIC guidance. Many institutions structured inventories, governance committees, validation templates, and issue-tracking processes around the earlier framework. The revised guidance is plainly evolutionary rather than wholly discontinuous, but the official materials do not specify whether examiners will expect prompt document updates, phased alignment, or evidence that the institution has deliberately mapped old controls to the new principles.

Third, the boundary between covered models and excluded tools may become important in practice. The guidance supplies a definition, but institutions using vendor platforms, hybrid scoring tools, parameter-driven engines, or heavily configured systems may need careful internal analysis before deciding what belongs inside the formal model inventory.

Fourth, the rescission of the 2021 FDIC guidance addressing certain Bank Secrecy Act, anti-money laundering, and sanctions-related models raises a practical watch item of its own. The April 17 materials do not explain whether examiners will expect any changed treatment for those systems beyond folding them into the revised general framework. Finally, the third-party section confirms that vendor-model validation remains necessary even when code, methodology, or development details are not fully available, but it does not identify what evidence will be sufficient when vendor opacity limits independent review.

My Law Tampa publishes this website memo as part of its public-facing coverage of banking and financial services regulatory developments.

This material is informational only, is not legal advice, and does not create an attorney-client relationship.

Source Materials

• Official publication: FIL-22-2017
• Regulator archive: FDIC memo archive
• Memo library: browse the full regulatory memo archive
• Related memo: FDIC Issues 2026 Consumer Compliance Supervisory Highlights
• Related memo: FDIC First Quarter 2026 Call Report Instructions: FIL-10-2026
• Related memo: FDIC FIL-13-2026: Final Rule Bars Use of Reputation Risk by Regulators