AI Governance for Banks: SR 11-7 & EU AI Act Compliance Guide

Why Banks Are Under the Most Pressure

Banks are among the most heavily scrutinized organizations for AI governance. The Federal Reserve and OCC's SR 11-7 has governed model risk management since 2011 — and regulators have made clear that AI tools, including large language models, ChatGPT, and third-party AI services, fall within its scope.

The EU AI Act adds further pressure for institutions operating in Europe: AI systems used in credit scoring, fraud detection, and customer-facing decisions are classified as high-risk and require conformity assessments, registration, and ongoing monitoring. Banks that fail to extend their model risk management programs to cover AI are creating examination findings today.

What SR 11-7 and EU AI Act Require

• Complete AI model inventory covering internally developed and third-party AI tools
• Risk tiering based on materiality, potential impact, and EU AI Act classification
• Pre-implementation validation for high-risk models with independent challenge
• Ongoing performance monitoring and drift detection
• Documented model owner and validator roles with segregation of duties
• Change management process for model updates and version changes
• Board and senior management reporting on AI model risk
• Vendor due diligence for all third-party AI providers
• EU AI Act conformity assessments for high-risk AI systems

What Banks Get Wrong

• Assuming SR 11-7 only applies to credit scoring models — it applies to all models including AI tools
• Excluding third-party AI tools (ChatGPT, Copilot) from the model inventory
• No validation process for AI tools adopted by business units outside of IT
• Insufficient documentation — examiners expect written evidence, not verbal assurances
• No EU AI Act classification assessment for AI systems used in regulated decisions