Model Risk Management SR 11-7

What is SR 11-7?

SR 11-7 — formally Federal Reserve Supervisory Letter SR 11-7 and the parallel OCC Bulletin 2011-12, both titled Supervisory Guidance on Model Risk Management — is the foundational US supervisory guidance on identifying, managing, and mitigating risks arising from the use of quantitative models.

It was issued jointly by the Federal Reserve and the OCC on 4 April 2011 and subsequently adopted by the FDIC in 2017. The principles, governance expectations, and validation requirements set out in SR 11-7 have become the de facto global standard for model risk management across banking, insurance, and adjacent regulated industries.

SR 11-7 is technical guidance rather than a formal rule, but in practice it is treated as effectively binding. SR 11-7-compliant frameworks are the baseline expectation across credit risk, market risk, BSA/AML, capital adequacy, stress-testing, fraud, and AI/ML models — see our broader explainer on governance, risk and compliance setup.

Why SR 11-7 matters

Before 2011, model risk was treated as a sub-component of operational or market risk, with no consistent supervisory expectation for how it should be governed. SR 11-7 established model risk as a discrete risk type requiring its own governance framework, dedicated validation function, model inventory, and board-level oversight.

Two consequences followed. Every major US bank built or rebuilt its model risk programme around SR 11-7's three pillars — a multi-year programme of substantial investment. And examiners gained a consistent reference for assessing model risk, making weak model risk management one of the most frequently cited findings in supervisory letters and enforcement actions.

The guidance also reaches into AML and BSA programmes. Transaction-monitoring models, sanctions-screening engines, customer risk-rating models, and AI/ML detection systems are all expected to satisfy SR 11-7-grade governance — particularly in institutions subject to NYDFS Part 504. Our broader AML compliance complete guide sets out where model governance fits into the wider programme.

How SR 11-7 defines a model

SR 11-7 defines a model broadly as "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates."

The definition is intentionally wide and covers:

• Traditional statistical models — credit scorecards, value-at-risk, CCAR submissions
• AML models — transaction-monitoring rules and scenarios, sanctions matching algorithms, customer risk-rating models
• Machine-learning and AI models — including fraud detection, underwriting, and decisioning
• Vendor-supplied tools — third-party models embedded in the institution's workflows
• End-user computing — spreadsheets and analyst tooling where they produce material outputs

The breadth of the definition means most banks discover, on close inspection, that they operate hundreds or thousands of in-scope models — many of which had previously been treated as ungoverned tooling.

The three core elements of model risk management

SR 11-7 organises model risk management around three core elements that together form the framework's structural foundation: development, validation, and governance.

1. Robust model development, implementation, and use

The first pillar requires a clearly articulated purpose, well-documented design choices, fit-for-purpose data, rigorous testing, and clear documentation. The model's intended use must align with its design.

"Model misuse" — applying a model outside its tested scope — is treated as a distinct source of model risk that institutions must explicitly control.

2. Effective validation

Validation must be independent, comprehensive, and ongoing — performed by individuals not involved in model development. It covers three components: conceptual soundness (the model's theoretical foundations, design assumptions, and limitations); ongoing monitoring (continuous testing of model performance against its intended use over time); and outcomes analysis (comparison of model outputs to actual outcomes through back-testing, benchmarking, and process verification).

Validation must be proportionate to model risk and refreshed on a defined cycle.

3. Governance, policies, and controls

The third pillar covers board and senior management oversight, written model risk management policies, role and responsibility definitions, a comprehensive model inventory with risk tiering, change management, and clear escalation paths. Internal audit must independently assess the framework periodically.

Independent validation

Independent validation is the single most-discussed component of SR 11-7. The guidance is explicit that validation must be performed by individuals not involved in the development, implementation, or use of the model — and validators must have the necessary skill, knowledge, and stature to effectively challenge the model.

Validation must cover three areas, with findings documented, tracked, and remediated. Conceptual soundness asks whether the model makes sense theoretically and methodologically. Ongoing monitoring asks whether it is still performing as intended. Outcomes analysis asks whether its outputs match reality through back-testing and benchmarking.

Material findings must be escalated to senior management and the board. A common failure pattern is validation in name only — performed without genuine independence, depth, or follow-through — and this is one of the most consistently cited weaknesses in supervisory examinations.

Model inventory and risk tiering

Every institution must maintain a comprehensive model inventory capturing each in-scope model, its purpose, owner, vendor (if any), input data, methodology, validation status, performance metrics, and assigned risk tier.

Risk tiering assigns each model to a tier based on materiality — financial impact, regulatory significance, complexity, and reliance:

Tier	Typical examples	Validation depth
High	Capital, credit decisioning, CCAR submissions, AML transaction monitoring at large institutions	Most intensive — full validation on a defined cycle, dedicated review
Medium	Pricing, market risk on standard products, fraud-rule engines, customer risk-rating	Proportionate — risk-based validation cycle
Low	Internal analytical tools, end-user computing with limited downstream reliance	Lightest — basic validation and documentation

The inventory itself is regularly examined by supervisors as evidence of the breadth and currency of the institution's model risk awareness.

SR 11-7 and AML / BSA models

Although SR 11-7 originated in credit and market risk, it has become foundational to AML and BSA model governance. Transaction-monitoring scenarios, customer risk-rating models, sanctions matching algorithms, and emerging AI/ML detection models all fall within SR 11-7's model definition.

New York's NYDFS Part 504 explicitly requires model validation and is widely interpreted as an SR 11-7-aligned overlay for transaction monitoring and sanctions filtering. Federal supervisors apply SR 11-7 principles when examining AML model performance through the FFIEC BSA/AML Examination Manual.

For institutions deploying transaction monitoring at scale, SR 11-7 governance is the basis on which scenario design, threshold tuning, validation evidence, and model-change controls are assessed. Effective AML screening programmes likewise depend on SR 11-7-grade governance over the matching engine.

SR 11-7 and AI / machine learning models

SR 11-7 was written in 2011, before the modern wave of machine-learning and AI adoption. Its principles are model-agnostic and apply equally to ML and AI models.

Supervisors have publicly confirmed that ML and AI models used in regulated decisioning fall within SR 11-7's scope, and have flagged specific areas where ML models warrant enhanced attention:

• Interpretability — understanding why the model produced a particular output
• Fairness — testing for disparate impact across protected classes
• Drift detection — monitoring changes in data distributions and feature relationships
• Training-data quality — provenance, representativeness, and labelling quality
• Ongoing monitoring — of features and predictions, not just outputs
• Explainability — supporting reason codes for adverse decisions

The Federal Reserve, OCC, and FDIC have all issued supplementary materials addressing the application of SR 11-7 to AI/ML contexts. Institutions deploying AI in credit, AML, fraud, and customer-facing functions are expected to operate SR 11-7-grade governance over those models.

Governance and board oversight

A defining feature of SR 11-7 is the role it assigns to the board of directors and senior management — together forming the three lines of defence applied to model risk.

The board approves the model risk management policy, sets the appetite for model risk, receives regular reporting on the model risk profile, and ensures the framework is properly resourced and independent. Senior management implements the framework, maintains the model inventory, ensures validation is performed, and escalates material issues. Internal audit provides independent assurance over the framework itself.

Together these governance layers produce defensible evidence during regulatory examinations and form the structural backbone of an SR 11-7-compliant programme.

Institutions selecting tooling for AML model environments often reference our overview of the best AML software for regulatory compliance when evaluating SR 11-7-grade options.