Model risk management is an evolving topic for community banks and credit unions. While models have been around for a long time, their prevalence in artificial intelligence (AI), machine learning (ML), and other third-party software applications makes understanding and managing them more important than ever. Let's dive into some frequently asked questions about model risk management.

Table of Contents

What does regulatory guidance say? 

The agencies' initial Supervisory Guidance on Model Risk Management was published in 2011. This guidance was rescinded and replaced in April 2026 by revised interagency Model Risk Management guidance.  

There are two aspects of this updated guidance that are worth noting before we dive into the rest of this blog: 

  • $30 Billion Asset Threshold. The revised guidance states that it is "expected to be most relevant to banking organizations with over $30 billion in total assets." However, the guidance also acknowledges it "may be relevant to banking organizations with total assets of $30 billion or less that have significant exposure to model risk because of the prevalence and complexity of their models."
  • The AI Carve-Out. The revised guidance explicitly excludes generative AI and agentic AI models from scope, noting that they are "novel and rapidly evolving." However, the guidance also states, "the general expectation is that [the guidance] will be most useful for models supporting a banking organization's significant business lines, operations, services, and functions." 

Examiners have been increasingly emphasizing model risk management in recent years. So, if you work for a community financial institution and you are using models (AI or otherwise) to make credit decisions, assess risk, or support significant operations, examiners may still expect to see evidence that you're managing model risk thoughtfully and in a way that mitigates risk of material financial impacts.

What is a "model?"

According to the interagency Model Risk Management: Revised Guidance, a "model" is:

"A complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates. The term "model" in this guidance excludes simple arithmetic calculations, such as those found within spreadsheets, as well as deterministic rule-based processes and software where there are no statistical, economic, or financial theories underpinning their design or use."

A model works like this.

Raw data goes into the model. The model processes the data and translates it into meaningful information. The model outputs the results in an easy-to-understand format. You then use the results to make informed business decisions.


For example, take a mortgage lending application. You input various data points about a property into the system, such as its location, size, and recent market trends. The application processes this information using statistical models and algorithms to generate a valuation report. Then, this report helps your institution determine whether offering a mortgage loan on the property is a good decision or not.

From a financial perspective, institutions may use models for a variety of purposes, such as:

  • Assessing and approving credit
  • Estimating the value of assets and liabilities
  • Measuring and monitoring various types of risk
  • Managing and protecting customer assets
  • Evaluating capital strength and reserve requirements

These are the kinds of tools the guidance is squarely aimed at: systems where statistical or financial theory drives the output and where a flawed result could directly impact a business decision. 

However, financial institutions are increasingly relying on other tools that may not meet the formal definition of a "model" under the guidance. For example, think about tools used for: 

  • Identifying, assessing, and mitigating cybersecurity threats and risks
  • Generating content, like reports, meeting minutes, customer communications, or marketing materials
  • Enhancing customer support through chatbots, sentiment analysis, and automated issue triaging
  • Reviewing and screening content, such as résumé screening or other HR-related functions 

Many of these fall outside the guidance's scope, either because they are rule-based or because they involve generative AI, but as we'll discuss, being out of scope does not mean being out of risk.

What is "model risk?"

No model is perfect. Because of this, there's always risk with using one.

A significant risk associated with using a model is the risk of inaccurate outputs. These inaccurate outputs might occur for several reasons, like unintended misconfigurations, intentional tampering, or flawed input data. Poor model training and validation may also lead to issues like model drift or biased results.

While models are intended to help, if the model is incorrect or if you use the model's output incorrectly, this can result in increased risk across the board (e.g., strategic, financial, compliance, operational, etc.).

Why is model risk management important?

Model risk management is important because it helps you have confidence in the model's outputs. It helps you make sure that whatever you're using the model to do, you can better trust the results.

How can I manage model risk?

Here are six steps you can follow to start managing model risk.

  • Step 1: Create an inventory of the models you use. Consider the models you may have developed internally and the ones you use which are developed by a third party. A good place to start would be looking at anything that provides scores, suggests values, and/or helps you make decisions (e.g., lending software applications).

  • Step 2: Prioritize the models by criticality. Put them in order based on how important they are to your business functions and decision-making processes. Start your risk management process with the most critical models first.

  • Step 3: Determine how the model is trained. Evaluate the quality of the data on which the model is being trained (e.g., pre-trained on large datasets, fine-tuned on data sets relevant to the organization, trained on user inputs, etc.).

  • Step 4: Identify what controls are in place to protect against biased, malicious, and/or unauthorized input. Models are susceptible to a variety of threats (e.g., scripting, prompt injection, training data manipulation, targeted poisoning, backdooring, etc.). Because of this, the system needs to have proper controls in place (e.g., data sanitization, input validation, anomaly detection, quality assurance, authentication and access controls, secure development, etc.).

  • Step 5: Validate the model's accuracy. Perform model validation to ensure the outputs are what you would expect them to be. Validation can take many forms (e.g., professional review, historical comparison, benchmarking, confidence scores, outlier detection, random sampling, etc.).

  • Step 6: Perform ongoing model validation. For many applications, performing model validation on a regular schedule is sufficient. If the underlying data changes frequently (e.g., real-time data streams, rapidly evolving user behavior, etc.) or supports critical operations, the model may need more frequent validation. Additionally, it is important to validate models after significant updates to make sure the changes did not break anything.

How often must I perform model validation?

While there is no regulatory requirement to perform model validation on a set basis (e.g., at least annually)the revised guidance states:

"The timing, nature, and frequency of validation activities vary based on model purpose, model methodology, frequency and scope of model changes, data limitations, and other practical constraints." 

Further clarifying this topic, OCC Bulletin 2025-26 states:

"A community bank using relatively few models of only moderate complexity might conduct significantly fewer model risk management activities than a bank where use of models is more extensive or complex. Similarly, a community bank's model validation frequency will generally be less than that of a larger bank with more extensive and complex model usage. Importantly, the OCC will not provide negative supervisory feedback to a bank solely for the frequency or scope of the model validation that the bank reasonably determined to perform based on the bank's risk exposures, its business activities, and the complexity and extent of its model use."

What if I only use third-party models?

The revised guidance states:  

"The widespread use of customized vendor and other third-party products—including data, parameter values, or complete models—can present unique challenges for validation and other model risk management activities. […] Nevertheless, the principles of model risk management remain applicable." 

In short, even if the model you use is developed by a third party, you are still ultimately responsible for the outcome. That being the case, you should ask your vendors about these areas. Determine how they train and validate their models. Based on the criticality of the model, consider requesting a model validation report and/or other proof of testing. In short, if you're depending on a vendor to make decisions for you, you need to be aware of how they make (and protect) those decisions.

Other Frequently Asked Questions (FAQs) 

Q: What is model risk management? 

A: Model risk management is the process of identifying, validating, and overseeing the models you use to make decisions, so you can trust the outputs and manage the risk that comes with them. 

Q: Does the new model risk management guidance apply to community banks? 

A: The revised interagency guidance is formally aimed at institutions over $30 billion in assets, but if your institution uses models to support business decisions, managing the risk that comes with them is a good practice, regardless of asset size. 

Q: Are community banks and credit unions required to manage model risk? 

A: It depends on how and where you use models. The AVM final rule, for example, requires all mortgage originators and secondary market issuers, regardless of asset size, to maintain quality control standards for AVMs used in mortgage credit decisions. Broader model risk management requirements continue to evolve, but if your institution relies on models to make decisions, managing the associated risk is a best practice. 

Q: What do bank and credit union examiners want to see for model risk management? 

A: Generally speaking, it is a best practice to maintain a model inventory, a sense of which models are most critical to your operations, and evidence to show the models are being validated on a reasonable schedule. 

Q: Does the new model risk management guidance cover AI? 

A: Generative and agentic AI are explicitly excluded from the revised interagency guidance. However, just because AI models are excluded from the guidance doesn't mean they are exempt from risk management. Learn more in our Artificial Intelligence Risk Management Workbook.

Q: Am I responsible for third-party and vendor models? 

A: Yes, even if a vendor built the model, your institution is still responsible for the outcome, so ask your vendors how they train, test, and validate their models. 

Q: How often do community banks and credit unions need to perform model validation? 

A: As often as the risk warrants. A simple, low-stakes model needs less frequent validation than one driving critical lending, capital, or compliance decisions. 

Q: Where should a community bank or credit union start with model risk management? 

A: Start by building an inventory of every model your institution uses, prioritize them by criticality, and build your validation and oversight process from there. 

Conclusion

If your business is basing key decisions on model outputs, it is important to ensure the models are configured and validated correctly. For additional information about managing the risk of vendors who use AI models, download our Artificial Intelligence Risk Management Workbook or use the Artificial Intelligence (AI) review template in the Tandem Vendor Management product. Learn more about how Tandem can help you at Tandem.App/Vendor-Management-Software.

Further Reading

Rescinded Guidance

Update Log