AI Governance in US Financial Services: Fed SR 11-7, OCC, CFPB, and the Emerging Federal Framework

US financial institutions navigate AI governance through model risk management guidance, federal agency enforcement actions, and a rapidly developing state and federal legislative landscape. The 2026 compliance map for US banks, insurers, and fintechs.

Key Takeaways

SR 11-7 (Model Risk Management) is the foundational US banking AI governance framework — while written for traditional models, regulators have confirmed it applies to ML and AI models, and examination programs are testing compliance.
The CFPB has been the most active federal AI enforcement agency — its actions against algorithmic credit decisions, AI-generated adverse action notices, and discriminatory lending AI establish clear enforcement expectations.
The OCC, FDIC, and Federal Reserve have issued joint guidance on AI risk management that goes beyond SR 11-7 to address the specific characteristics of ML models — explainability, fairness testing, and third-party AI vendor oversight.
State insurance regulators have led on AI fairness in insurance — NAIC's model bulletin on AI in insurance has been adopted by multiple states and creates specific algorithmic fairness requirements for insurance AI.
The US AI regulatory landscape is still developing rapidly — the Executive Order on AI (October 2023) and subsequent agency guidance have established federal expectations, but comprehensive federal AI legislation has not yet passed.

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

US AI governance for financial services — the 2026 regulatory landscape

US financial services AI governance is shaped by sector-specific regulation from multiple agencies, each with enforcement authority. There is no single federal AI law, but the combination of existing statutes, new supervisory guidance, and active enforcement creates a substantive and enforceable framework.

Federal Reserve SR 26-2 (17 April 2026)

The most significant recent development. SR 26-2 — Supervisory Guidance on Model Risk Management Including Artificial Intelligence — supersedes SR 11-7 for banks and holding companies with $30 billion+ in total consolidated assets. It requires: materiality-tiered model risk management (not all AI systems get the same governance); continuous validation replacing annual revalidation; board-level accountability for AI governance; explicit treatment of AI and machine learning models including generative AI. Footnote 3 excludes "stand-alone" GenAI tools from the full MRM framework but expects governance appropriate to the risk. Federal Reserve, OCC, and FDIC issued it jointly, reflecting supervisory consensus.

CFPB

The Consumer Financial Protection Bureau has been active on AI credit and lending decisions. ECOA and FCRA adverse action notice requirements apply fully to AI-driven decisions — lenders cannot hide behind algorithmic complexity to avoid providing specific denial reasons. The CFPB has pursued enforcement actions involving AI in credit, collections, and servicing.

SEC

The SEC has focused on AI in broker-dealer and investment adviser contexts: AI-driven investment recommendations, predictive data analytics, and the use of AI in securities marketing (including "AI washing" — misleading claims about AI capabilities). The SEC's 2024 proposed rules on predictive data analytics remain under consideration.

OCC

The OCC's Model Risk Management guidance (OCC 2011-12) applies to AI models in national banks. The OCC participates in the interagency SR 26-2 framework. OCC examiners increasingly assess AI governance during examinations.

State regulation

State regulators and laws add another layer: Colorado AI Act (effective 30 June 2026) creates obligations for high-risk AI systems in insurance; NYC AEDT law (effective since July 2023) regulates automated employment decision tools; Illinois BIPA and Illinois AI Video Interview Act; multiple states have introduced AI insurance regulation. State attorneys general have enforcement authority under consumer protection statutes that apply to AI.

What financial services firms should do

For banks >$30B: implement SR 26-2 immediately — this is current supervisory guidance. For all financial services: maintain an AI model inventory with materiality classification; implement validation appropriate to risk tier; establish board reporting on AI risk; include AI-specific provisions in vendor contracts; prepare for examination questions on AI governance. For consumer-facing AI: ensure adverse action notice compliance; implement fair lending testing for AI credit models; monitor CFPB enforcement developments.

Primary sources: Federal Reserve SR 26-2 · CFPB · OCC