The federal banking agencies’ revised model risk management guidance in SR 26-2 reflects a more explicitly risk-based approach to model governance, validation, and monitoring. Although the guidance is expected to be most relevant for organizations with more than $30 billion in assets, SR 26-2 is better understood as principles-based rather than purely scope-based. In practice, supervisory expectations remain tied to the materiality of model use, the complexity of the institution and its models, and the significance of the underlying use case — not simply to asset size alone. As a result, the guidance also signals important expectations for smaller banks that rely on models for credit, liquidity, capital, allowance, forecasting, and other high-impact decisions.
For regional and community banks, the most important takeaway is not that SR 26-2 imposes a one-size-fits-all framework, but that it clarifies how supervisory expectations scale with model risk, model materiality, and organizational complexity. Banks with $30 billion or less in assets are generally excluded from the guidance when their model risk profile is consistent with traditional community banking, but the agencies also note that SR 26-2 may still be relevant where model prevalence, complexity, or business activities create significant exposure to model risk.
That distinction matters for validation teams. In practice, it means banks should expect continued supervisory focus on whether their model risk management framework is appropriately tailored, whether the inventory captures all material models and third-party tools, whether validation is sufficiently independent and technically capable, and whether monitoring is robust enough to detect deterioration before losses or reporting issues emerge.
What Is New?
SR 26-2 preserves the core pillars of model risk management — development, validation, monitoring, governance, documentation, and vendor oversight — but places greater emphasis on proportionality and materiality. The guidance makes clear that model risk management can and should differ across banks, even for similar models, depending on the institution’s risk profile, business use, and the consequences of model output.
A notable refinement is the guidance’s stronger framing around model materiality. Rather than treating all models alike, SR 26-2 emphasizes a combination of model exposure and model purpose, with higher scrutiny for models that support regulatory reporting, risk measurement, or other critical decisions. For smaller banks, this is useful because it supports a more targeted validation plan that focuses the greatest effort on models with the largest business impact.
The guidance also reinforces the idea of aggregate model risk, including concentration risk that can arise from shared assumptions, common economic scenarios, and overlapping vendor dependencies across Current Expected Credit Losses (CECL), stress testing, liquidity, and capital planning models. This is an important point for institutions that may view each individual model as modest in complexity, but rely on a collection of vendor tools, spreadsheets, assumptions, overlays, and management estimates that can create correlated risk across functions.
Implications for Smaller Banks
For banks under $30 billion in assets, SR 26-2 effectively confirms that a leaner framework can still be sound, provided it is risk-based and well documented. The guidance explicitly states that such banks will typically rely on internal governance practices appropriate to their size and risk profile, which should give institutions room to scale validation without importing the full structure of a large-bank program.
At the same time, the exclusion is not absolute. Smaller institutions with complex CECL processes, advanced credit models, portfolio segmentation frameworks, stress testing tools, fintech partnerships, or significant vendor reliance may still need to align more closely with the principles in SR 26-2. In those cases, the practical question is not whether the bank is formally in scope, but whether the bank’s model risk is material enough to justify stronger governance, testing, and independent challenge.
For smaller banks, this creates an opportunity to right-size model risk management programs in a way that is both practical and defensible. A community bank does not need the same validation architecture as a large regional institution, but it does need a defensible inventory, clear model purpose statements, periodic performance monitoring, and validation procedures that are commensurate with the model’s use and risk.
Validation Focus Areas
The most important validation themes under SR 26-2 are conceptual soundness, outcomes analysis, and ongoing monitoring. Conceptual soundness remains the foundation: Validators should assess whether the model design, assumptions, inputs, and data choices are appropriate for the intended use, not merely whether the model “works” mechanically.
Outcomes analysis is also highlighted as a core validation tool. SR 26-2 expects banks to compare model outputs with actual outcomes, review deviations, and determine whether recalibration, adjustment, or redevelopment is warranted when performance deteriorates. For smaller banks, this is especially relevant for CECL, portfolio stress tools, and scorecards where limited data may require heavier reliance on benchmarking, reasonableness checks, and expert judgment.
Ongoing monitoring is more explicitly tied to model drift and changing business conditions. That matters because many banks have historically treated validation as an annual event rather than a continuous control process. Under SR 26-2, monitoring should be more clearly linked to product changes, portfolio shifts, data relevance, and market or economic changes that can undermine model performance between validation cycles.
Figure 1. Illustrative examiner focus by model type, model tier, and regulatory scrutiny
The heat map below illustrates how examiner attention typically increases as model tiering, business impact, and regulatory significance rise across common banking model types.
Note: Figure 1 is illustrative only. Actual examiner scrutiny depends not only on model type, but also on the model’s business use, the maturity of the bank’s governance framework, the size and risk characteristics of the underlying portfolio exposure, and the extent of reliance on management judgment.
What to Watch
One practical change is the increased emphasis on effective challenge. The guidance makes clear that challenge should be performed by objective experts with the expertise, independence, and standing to influence outcomes. For banks with limited staff, this may require a more deliberate use of outside validation support, clearer separation of duties, or stronger governance by management and board committees.
Another important item is the treatment of vendor and third-party models. SR 26-2 underscores that banks remain responsible even when the model is purchased or externally developed. That means validation teams should still assess conceptual soundness, data provenance where available, performance, and any customizations applied to fit the bank’s business use.
The guidance also reinforces the need for documentation and a comprehensive model inventory. For smaller banks, this does not necessarily mean a large enterprise system, but it does mean the bank must be able to explain what models it uses, why they matter, how they are governed, and what controls exist around them.
AI Considerations
SR 26-2 is notable for what it does and does not cover in artificial intelligence (AI). The agencies state that generative AI and agentic AI models are not within the scope of the guidance, but the principles do apply to traditional statistical and quantitative models and non-generative, non-agentic AI models.
That creates an important boundary for current validation work. Banks may be using AI-enabled tools for underwriting support, fraud analytics, document processing, or customer insights, and although generative and agentic AI may sit outside the formal scope of SR 26-2, regulators still expect governance, controls, monitoring, and risk assessment around AI-enabled decision tools. Where those tools are non-generative or non-agentic, the same model risk principles still apply: Define the use case, understand limitations, validate performance, monitor drift, and govern third-party dependencies.
This is also a useful point for banks to consider as AI adoption continues to expand. AI may increase the volume of models and model-like tools inside banks faster than traditional governance frameworks can adapt. For smaller institutions, the risk is not always cutting-edge AI; it is often the gradual accumulation of embedded third-party analytics and automated decision tools that are not fully inventoried, independently challenged, or monitored with the discipline regulators increasingly expect.
Another emerging consideration is the growing use of model-like tools, embedded analytics, automated decision systems, and Retrieval-Augmented Generation (RAG) / Large Language Model (LLM)-enabled workflows across banking operations. While many of these tools may not formally meet the traditional definition of a “model” under SR 26-2, they can still introduce operational, compliance, and decision-making risk when used in underwriting, fraud detection, reporting, or customer-facing processes. As banks increasingly rely on AI-enabled and third-party decision tools, institutions should consider whether existing governance, inventory, monitoring, and control frameworks are sufficient to identify and manage risks arising from these model-adjacent technologies.
Closing Angle
SR 26-2 should be viewed less as a sweeping new mandate and more as a refinement of supervisory expectations around model risk. For regional and community banks, the guidance reinforces that model risk management should be proportionate to the institution’s size, complexity, and model risk profile, while still being sufficiently rigorous for models that support critical financial, risk, compliance, and strategic decisions.
The practical implication is that banks do not need large-bank infrastructure to meet supervisory expectations, but they do need a defensible framework: a complete inventory, clear model tiering, tailored validation, effective challenge, and monitoring that is responsive to changes in portfolios, assumptions, and market conditions. The models most likely to draw examiner attention are generally those tied to reserve adequacy, balance sheet risk, capital, compliance, and customer impact.
For Ankura, this creates a clear opportunity to help banks right-size their programs by focusing resources where regulatory scrutiny and model risk are greatest. The goal is not to add unnecessary process, but to strengthen governance, improve documentation, and ensure that the bank can explain why its validation approach is commensurate with the significance of each model.
Based on discussions we have had with examiners and industry participants, it is also important not to oversimplify the guidance. Although SR 26-2 is non-binding supervisory guidance rather than a prescriptive rule, institutions may still face supervisory criticism where weak model governance, insufficient validation, poor monitoring, or ineffective controls contribute to unsafe or unsound practices. In practice, examiners continue to focus less on formal compliance with guidance language alone and more on whether a bank’s overall model risk management framework is appropriately robust, defensible, and commensurate with the institution’s actual risk exposure.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC, its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
