Summary

In banking, an AI model is a regulated object the day it touches a credit decision. SR 11-7 has governed model risk since 2011, and examiners now apply it to machine learning the way they applied it to statistical scorecards. Add ECOA and fair-lending law, and every automated decline must produce a specific, accurate adverse-action reason. Banks that treat governance as a launch gate, not a blocker, ship faster. The ones that bolt it on later end up explaining to a regulator why a black box denied a protected class. Explainability is not optional. It is examinable.

Context

An AI model is a regulated object, not a science project

The moment a model influences a credit, fraud, or AML decision, it falls under supervisory expectations that predate the current AI wave. SR 11-7, the Federal Reserve and OCC guidance on model risk management issued in 2011, defines the whole lifecycle: development, validation, independent review, ongoing monitoring, and an inventory of every model in production. Examiners have made clear that machine learning models are in scope. A neural network scoring loan applications is governed exactly like the logistic regression scorecard it replaced, and the burden of proof sits with the bank.

Layered on top is fair-lending law. The Equal Credit Opportunity Act and Regulation B prohibit discrimination and require that any adverse action, a denial or a materially worse offer, come with specific and accurate reasons. The CFPB has stated plainly that there is no fintech or complexity exemption: if a model denies an applicant, the bank must be able to say why in terms a consumer can act on. That single requirement rules out unexplainable black-box models for consumer credit and forces explainability into the design from day one.

The regulatory perimeter keeps widening. Beyond SR 11-7 and ECOA, banks now weigh interagency guidance on third-party risk when a model is vendor-supplied, UDAP and UDAAP exposure when an AI-driven interaction misleads a consumer, and emerging state and federal attention on automated decision systems. The practical implication is that governance cannot be a document produced once for the launch committee. It has to be a living operating capability: an inventory that stays current, validation that repeats on a schedule, monitoring that fires alerts, and documentation that a third-party examiner can follow without a guided tour. Banks that treat this as a launch gate rather than a launch blocker ship models faster, because the controls are designed in and the answers to examiner questions already exist. The ones that bolt governance on after go-live spend the following quarter reconstructing evidence under supervisory pressure.

The framework

Map each control to the rule that demands it

Governance is not a single review. It is a set of controls, each tied to a specific regulatory expectation, applied across the model lifecycle.

ControlWhat it requiresRegulatory anchor
Model inventoryEvery production model registered, owned, and versionedSR 11-7 model inventory
Independent validationReview by a party separate from the developersSR 11-7 effective challenge
Adverse-action logicSpecific, accurate denial reasons per applicantECOA and Regulation B
Fair-lending testingDisparate impact analysis across protected classesECOA, Fair Housing Act
Ongoing monitoringDrift, stability, and performance tracked in productionSR 11-7 ongoing monitoring
Recommended actions

Build governance in as a gate, not a bolt-on

  • Register every AI model in a central inventory with an owner, a version, a validation status, and a documented intended use.
  • Require independent validation before any model touches a live decision, with challenger analysis and documented limitations.
  • Engineer adverse-action reason codes into consumer-credit models so every decline maps to a specific, accurate factor.
  • Run disparate impact testing on protected classes before launch and on a recurring schedule after, and document the less-discriminatory-alternative search.
  • Instrument production monitoring for drift and stability so a degrading model triggers review, not a customer complaint.
Common pitfalls

How AI governance goes wrong in banks

  • Treating machine learning as exempt from SR 11-7 because it is new, when examiners apply the same lifecycle expectations.
  • Deploying a model that cannot generate a specific adverse-action reason, creating direct ECOA exposure on every decline.
  • Running fair-lending tests once at launch and never again, missing the drift that creates disparate impact over time.
  • Letting the team that built the model also validate it, which defeats the effective-challenge requirement.
Metrics that matter

Governance metrics examiners will ask for

  • Percentage of production models in the inventory with current, independent validation.
  • Adverse-action reason accuracy and coverage across automated declines.
  • Disparate impact ratios by protected class, tracked over time.
  • Model drift and time-to-remediation for models flagged in monitoring.
FAQ

Frequently asked questions

Does SR 11-7 apply to machine learning models?

Yes. Regulators have made clear that SR 11-7 model risk management covers machine learning the same as traditional statistical models. You need the full lifecycle: inventory, independent validation, effective challenge, and ongoing monitoring, regardless of the algorithm.

Can we use a black-box AI model for credit decisions?

Not for consumer credit. ECOA and Regulation B require specific, accurate adverse-action reasons on every denial, and the CFPB has said there is no complexity exemption. If a model cannot explain a decline in actionable terms, it cannot be used to make one.

How often should we run fair-lending testing on an AI model?

Before launch and on a recurring schedule after, because models drift. A model that passed disparate impact testing at launch can develop bias as data shifts, so ongoing testing plus a documented search for less discriminatory alternatives is the defensible standard.