In banking, an AI model is a regulated object the day it touches a credit decision. SR 11-7 has governed model risk since 2011, and examiners now apply it to machine learning the way they applied it to statistical scorecards. Add ECOA and fair-lending law, and every automated decline must produce a specific, accurate adverse-action reason. Banks that treat governance as a launch gate, not a blocker, ship faster. The ones that bolt it on later end up explaining to a regulator why a black box denied a protected class. Explainability is not optional. It is examinable.
An AI model is a regulated object, not a science project
The moment a model influences a credit, fraud, or AML decision, it falls under supervisory expectations that predate the current AI wave. SR 11-7, the Federal Reserve and OCC guidance on model risk management issued in 2011, defines the whole lifecycle: development, validation, independent review, ongoing monitoring, and an inventory of every model in production. Examiners have made clear that machine learning models are in scope. A neural network scoring loan applications is governed exactly like the logistic regression scorecard it replaced, and the burden of proof sits with the bank.
Layered on top is fair-lending law. The Equal Credit Opportunity Act and Regulation B prohibit discrimination and require that any adverse action, a denial or a materially worse offer, come with specific and accurate reasons. The CFPB has stated plainly that there is no fintech or complexity exemption: if a model denies an applicant, the bank must be able to say why in terms a consumer can act on. That single requirement rules out unexplainable black-box models for consumer credit and forces explainability into the design from day one.
The regulatory perimeter keeps widening. Beyond SR 11-7 and ECOA, banks now weigh interagency guidance on third-party risk when a model is vendor-supplied, UDAP and UDAAP exposure when an AI-driven interaction misleads a consumer, and emerging state and federal attention on automated decision systems. The practical implication is that governance cannot be a document produced once for the launch committee. It has to be a living operating capability: an inventory that stays current, validation that repeats on a schedule, monitoring that fires alerts, and documentation that a third-party examiner can follow without a guided tour. Banks that treat this as a launch gate rather than a launch blocker ship models faster, because the controls are designed in and the answers to examiner questions already exist. The ones that bolt governance on after go-live spend the following quarter reconstructing evidence under supervisory pressure.
Map each control to the rule that demands it
Governance is not a single review. It is a set of controls, each tied to a specific regulatory expectation, applied across the model lifecycle.
| Control | What it requires | Regulatory anchor |
|---|---|---|
| Model inventory | Every production model registered, owned, and versioned | SR 11-7 model inventory |
| Independent validation | Review by a party separate from the developers | SR 11-7 effective challenge |
| Adverse-action logic | Specific, accurate denial reasons per applicant | ECOA and Regulation B |
| Fair-lending testing | Disparate impact analysis across protected classes | ECOA, Fair Housing Act |
| Ongoing monitoring | Drift, stability, and performance tracked in production | SR 11-7 ongoing monitoring |
Build governance in as a gate, not a bolt-on
- Register every AI model in a central inventory with an owner, a version, a validation status, and a documented intended use.
- Require independent validation before any model touches a live decision, with challenger analysis and documented limitations.
- Engineer adverse-action reason codes into consumer-credit models so every decline maps to a specific, accurate factor.
- Run disparate impact testing on protected classes before launch and on a recurring schedule after, and document the less-discriminatory-alternative search.
- Instrument production monitoring for drift and stability so a degrading model triggers review, not a customer complaint.
How AI governance goes wrong in banks
- Treating machine learning as exempt from SR 11-7 because it is new, when examiners apply the same lifecycle expectations.
- Deploying a model that cannot generate a specific adverse-action reason, creating direct ECOA exposure on every decline.
- Running fair-lending tests once at launch and never again, missing the drift that creates disparate impact over time.
- Letting the team that built the model also validate it, which defeats the effective-challenge requirement.
Governance metrics examiners will ask for
- Percentage of production models in the inventory with current, independent validation.
- Adverse-action reason accuracy and coverage across automated declines.
- Disparate impact ratios by protected class, tracked over time.
- Model drift and time-to-remediation for models flagged in monitoring.
Frequently asked questions
Does SR 11-7 apply to machine learning models?
Yes. Regulators have made clear that SR 11-7 model risk management covers machine learning the same as traditional statistical models. You need the full lifecycle: inventory, independent validation, effective challenge, and ongoing monitoring, regardless of the algorithm.
Can we use a black-box AI model for credit decisions?
Not for consumer credit. ECOA and Regulation B require specific, accurate adverse-action reasons on every denial, and the CFPB has said there is no complexity exemption. If a model cannot explain a decline in actionable terms, it cannot be used to make one.
How often should we run fair-lending testing on an AI model?
Before launch and on a recurring schedule after, because models drift. A model that passed disparate impact testing at launch can develop bias as data shifts, so ongoing testing plus a documented search for less discriminatory alternatives is the defensible standard.
Related reading
Go deeper on this sector and topic.