What SR 26-2 Actually Changes for Community Banks

When the Federal Reserve, OCC, and FDIC retired SR 11-7 and issued SR 26-2 in April, most of the headlines focused on AI. That framing is right but incomplete. SR 26-2 is genuinely about AI — but the deeper shift is that the agencies finally acknowledged what every practicing risk officer already knew: the old model risk framework was written for a world of econometric credit models, and that world stopped existing somewhere around 2019.

For community banks, the question is not whether SR 26-2 applies. It does. The question is what proportionate compliance actually looks like when you don't have a model risk department, a validation team, or a seven-figure governance budget. Below is what I'm seeing from the inside — the substantive changes, the things that haven't changed, and a practical first move for institutions under $10 billion.

From SR 11-7 to SR 26-2: a brief history

SR 11-7 was issued in 2011 and was, for fifteen years, the closest thing American banks had to a unified model risk standard. It was elegant in its restraint: a model was anything that took inputs through a quantitative method and produced an output used in a business decision. Governance hung off that definition through three pillars — development, implementation, and use; validation; and governance, policies, and controls.

The problem was that SR 11-7 assumed every model was a thing your bank had built, or at minimum a thing your bank fully understood. It said little about machine-learning systems whose internal logic resists meaningful inspection. It said less about AI features embedded in vendor products you didn't choose to deploy. And it said nothing about generative AI, which didn't exist in any commercially meaningful form when the guidance was written.

SR 26-2 doesn't replace those concepts — it extends them. The three pillars are still the spine. But the model definition is broader, the expectations around opacity and ongoing monitoring are sharper, and the scope of governance is explicitly expanded to include AI tools regardless of how they got into your institution.

What's actually new

Four substantive shifts matter for community banks. None of them are surprising. All of them are now expected.

1. The model definition expands to AI — including third-party AI

SR 11-7 left a gray area for AI systems with non-quantitative inputs. SR 26-2 closes it. If a system produces an output that informs a business decision — pricing, underwriting, fraud, BSA, marketing, document handling, customer routing — it's in scope. And critically, "your" models now include AI components inside vendor software. The old workaround of treating vendor AI as a vendor management problem rather than a model risk problem is gone.

2. Validation expectations get more granular for opaque models

SR 26-2 explicitly addresses the validation challenge of models whose logic isn't fully interpretable. The expectation isn't that you white-box every model — it's that you document what you can't validate, justify the residual risk, and put compensating controls in place. For community banks that lean on vendor AI, this means asking different questions during due diligence: not "is the model accurate" but "what can you tell us about how the model behaves, fails, and is monitored."

3. Ongoing monitoring becomes more prescriptive

Where SR 11-7 expected periodic validation, SR 26-2 expects ongoing monitoring — performance metrics, drift detection, exception handling — with cadence and thresholds documented in the model governance framework. The agencies aren't dictating how often, but they are dictating that the cadence be deliberate and the thresholds be set in advance, not after a problem surfaces.

4. Governance ownership escalates

Board-level engagement with AI risk was implicit in SR 11-7. It's explicit in SR 26-2. The board is expected to approve the AI governance framework, receive periodic reporting on AI risk posture, and document its oversight in the minutes. For most community banks, this means standing up — or formalizing — an AI Governance Committee that reports up to a board-level risk committee.

What hasn't changed

The proportionality principle is intact. SR 26-2 explicitly reaffirms that compliance must be sized to the bank's complexity, risk profile, and use of models. The agencies are not expecting a $700 million bank to operate the model risk function of a $700 billion one.

The three lines of defense remain the structural backbone. First line owns the use of the model. Second line owns the governance and validation. Third line provides independent assurance. Whether those lines are three people or three departments depends on your size — but the separation of duties is non-negotiable.

And the spirit of the original guidance — that model risk is a real risk, that it deserves the same treatment as credit or operational risk, that the goal of governance is to use models well rather than avoid them — that's all still there. The agencies have not retreated from any of it.

The agencies are not expecting a $700 million bank to operate the model risk function of a $700 billion one. But the expectation that the bank operates some version of that function — documented, deliberate, defensible — is now table stakes.

The community-bank gap

Here is the practical problem. Most community banks under $10 billion don't have a dedicated model risk officer. The function is informally distributed across the ISO, the CRO, the CCO, the CFO, and whoever happens to be the most quantitatively literate person in the room. AI tools have been entering the bank for several years — often through vendor upgrades that didn't even flag the AI component — with no formal inventory, no risk classification, and no documentation of how the bank decided to trust them.

SR 26-2 doesn't punish this state of affairs. But the next exam cycle will surface it. The first examiner question is no longer "do you use AI" — it's "what AI is in your stack, who governs it, and what's your evidence." Banks without a clean answer will find themselves under additional scrutiny regardless of asset size.

A 90-day response plan

If your bank doesn't have a current AI governance framework, the first ninety days should focus on building the foundation. Not the entire program — the foundation. Roughly:

Weeks 1–3: Inventory

Document every AI system in the bank. Include in-house AI, vendor AI that you knowingly deployed, and AI features that arrived through vendor upgrades. For each entry, capture the business purpose, the owner, the risk level, and the validation status. This document becomes the spine of everything else.

Weeks 4–6: Risk classification

Apply a tiering framework to each AI system — high, moderate, low — based on the materiality of the decisions it informs. A generative AI tool used for drafting internal memos is not the same risk as an AI-assisted credit decisioning system. Classify accordingly. The classification drives the depth of governance each system requires.

Weeks 7–9: Policy and charter

Adopt a foundational AI governance policy and stand up an AI Governance Committee with a charter, members, cadence, and reporting line. The policy doesn't need to be perfect on day one. It needs to exist, be approved by the appropriate authority, and establish how the bank will make AI decisions going forward.

Weeks 10–12: First board report

Deliver a first AI risk report to the board or board-level risk committee. Include the inventory summary, the risk classification distribution, any high-risk findings, and the planned next steps. This single artifact — documented, accepted, and minuted — transforms the bank's regulatory posture more than any other single action.

Ninety days will not get you to a mature program. It will get you to a defensible one. That's the right goal for the first quarter.

What this means for examiners — and for you

Examiners are still calibrating their own SR 26-2 expectations. Their first few cycles under the new guidance will lean on the same proportionality principle the agencies built into the text. But the bar is rising, and the rate at which it rises is faster than any community bank can match by reacting alone. The institutions that come through the next eighteen months in the best position are the ones treating SR 26-2 not as a project but as a permanent operating shift — the same way the industry eventually treated BSA, BSA/AML, and cyber.

For community banks, the message is straightforward. Build the foundation now. Size it to your institution. Document the decisions. The regulatory environment will continue to evolve, but the discipline you put in place this year will be the discipline you build on for the next decade.