Does SR 11-7 apply to AI and machine learning models?

Yes. SR 11-7 (OCC Bulletin 2011-12) applies to all models — defined as quantitative methods that produce estimates or predictions used for decision-making. ML models that predict creditworthiness, fraud probability, or capital requirements fall squarely within scope. The OCC's 2021 AI/ML FAQ supplement explicitly confirmed this, stating that ML models satisfy the model definition even when they lack traditional statistical interpretability.

What is conceptual soundness for an AI model under SR 11-7?

Conceptual soundness requires documenting the theory behind the model, the assumptions made, the training data selection rationale, feature engineering choices, and why the chosen algorithm is appropriate for the use case. For ML models, black-box outputs require additional explainability evidence — aggregate model explanations (SHAP/LIME) and documentation of per-decision explanation methodology. Conceptual soundness must be assessed independently, not just by the development team.

How often must banks validate AI models?

SR 11-7 requires validation frequency to match the model risk tier. High-risk or frequently used models (credit scoring, fraud detection) should be fully revalidated annually or whenever material changes occur — including when a third-party vendor updates the underlying model. Lower-risk models may qualify for biennial revalidation. Between full revalidations, continuous monitoring must track performance metrics, data distribution, and output stability against the validated baseline.

What documentation does the OCC require for AI model validation?

Required documentation includes: model development documentation (theory, data sources, assumptions, feature engineering rationale, algorithm selection justification, known limitations); validation reports (independent reviewer, testing methodology, out-of-time/out-of-sample results, fairness analysis, formal findings); ongoing monitoring reports (performance metrics against baseline at risk-tier-appropriate frequency); outcomes analysis (predicted vs. actual, back-testing); issue tracking log (findings, severity, owner, remediation timeline); and change management log (material changes with pre-deployment testing evidence).

What is outcomes analysis in bank AI model validation?

Outcomes analysis compares model predictions against actual results over time. For credit models: predicted default rates vs. actual default rates by vintage and population segment. For fraud models: flagged transaction rates vs. confirmed fraud rates. For LLM-based models: prediction accuracy against ground truth labels. Significant divergence between predicted and actual outcomes triggers a required revalidation. The OCC expects outcomes analysis to be conducted continuously, not only at annual review.

How do bank examiners assess AI model risk?

OCC examiners assess six dimensions: (1) model risk management framework completeness and policy rigor; (2) model inventory — all models in scope with risk tiering; (3) independence of validation from development; (4) quality of conceptual soundness testing and documentation; (5) ongoing monitoring rigor — frequency, metrics, thresholds; (6) issue escalation and remediation — open findings with owners and due dates, board/senior management oversight documentation. The most common finding is inadequate ongoing monitoring — conceptual soundness documentation is usually present, outcome tracking usually absent.

Does third-party AI model validation satisfy SR 11-7?

Third-party validation can supplement internal validation but does not replace it. Banks remain responsible for validating vendor and third-party models used in their operations. SR 11-7 explicitly states that banks cannot outsource model risk management obligations. For vendor AI models (foundation model APIs, embedded ML scoring services), banks must conduct or commission independent validation, require contractual access to model cards and performance benchmarks, and implement change notification obligations so that vendor model updates trigger bank-side change management.

How does Tenet AI support OCC model validation requirements?

Tenet AI captures immutable decision logs with model version at time of decision, tracks version changes across the model lifecycle, monitors output drift (semantic drift detection — the LLM-equivalent of population stability index monitoring), and generates audit-ready reports documenting input→decision→outcome chains. This provides the continuous monitoring evidence SR 11-7 requires between full revalidation cycles, and the longitudinal decision dataset that outcomes analysis needs to compare predictions against actual results.

OCC Model Validation for AI/ML in Banking: SR 11-7 Extension Guidance

OCC Bulletin 2011-12 (SR 11-7) applies to any quantitative method used for bank decision-making — which includes ML credit scoring models, fraud detection neural networks, and AI agents routing loan applications. The three pillars of SR 11-7 validation are conceptual soundness (theory, data, assumptions), ongoing monitoring (performance metrics, drift detection), and outcomes analysis (predicted vs. actual). Banks cannot outsource validation obligations for third-party AI models. The OCC's 2021 AI/ML FAQ supplement confirmed that ML models satisfy the "model" definition under SR 11-7 even when they lack traditional statistical interpretability.

What Counts as a Model Under SR 11-7

SR 11-7 defines a model as a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories to process input data into quantitative estimates used for decision-making. The key test is whether the output informs a business decision. An LLM answering customer FAQs is not a model. An LLM scoring credit applications or recommending loan terms is. The OCC 2021 AI/ML FAQ supplement explicitly confirmed ML models qualify — even black-box models without traditional interpretability — when their outputs drive bank decisions. This broad definition covers gradient boosting credit scorers, deep learning fraud detectors, NLP contract review systems, and agentic AI loan processors.

The Three Pillars of SR 11-7 Validation

Conceptual soundness requires documenting the theoretical basis for the model, justifying the algorithm selection, explaining training data sources and quality, and demonstrating that model assumptions hold in the deployment environment. For ML models, this includes explainability evidence for features and predictions. Ongoing monitoring requires continuous tracking of performance metrics against baseline, input data distribution monitoring (PSI/KL divergence for structured models, semantic drift for LLM-based models), and defined thresholds triggering escalation. Outcomes analysis requires comparing model predictions to actual outcomes over time — default rate predictions vs. actual defaults, fraud flags vs. confirmed fraud — with back-testing and challenger model benchmarking.

Documentation Requirements: What OCC Examiners Review

Model development documentation must exist before deployment and cover theory, data sources and quality, feature engineering rationale, algorithm selection justification, known limitations, and intended use. Validation reports must be produced by a team independent from development, covering out-of-time/out-of-sample testing, adversarial testing, fairness analysis, and a formal finding. Ongoing monitoring reports must be produced at intervals matching the model risk tier — monthly for high-risk production models, quarterly for lower-risk models. Issue tracking must show findings with severity, owner, due date, and remediation evidence. Change management documentation must capture material changes — including vendor model updates for third-party AI — and evidence of pre-deployment testing for each change.

Independent Validation: What Independence Means for AI Models

SR 11-7 requires the validation function to be independent from model development — the team that built the credit scoring model cannot validate it. For AI models, independence is structurally harder: development teams hold unique knowledge of training procedures, and external validators may lack ML expertise. The OCC FAQ guidance allows for effective challenge — validators must be able to probe assumptions, test edge cases, and form independent fitness-for-purpose opinions. For vendor AI models, independence requires contractual access to model cards, training data summaries, and performance benchmarks. Third-party validation can supplement but cannot replace internal validation. The bank remains responsible for validating all models used in its operations, including AI APIs and embedded ML scoring services.

Ongoing Monitoring: The Most Common Examination Finding

OCC examination findings consistently cite inadequate ongoing monitoring as the primary model risk management deficiency. Conceptual soundness documentation is usually present; outcome tracking is usually absent. For AI models, the monitoring challenge is compounded by model drift — the data distribution shifts, the real-world environment changes, and model performance degrades silently between revalidation cycles. SR 11-7 requires monitoring frequency to match model risk tier: high-risk models used in every loan decision should be monitored monthly; lower-risk analytics models may qualify for quarterly review. The bank's MRM policy must define risk tiers, monitoring frequency standards, escalation thresholds, and the process for triggering revalidation when thresholds are breached.