Skip to main content

From compliance to value: Navigating the SR 26-2 transformation

The first major update to model risk guidance in over a decade codifies industry best practices into a pragmatic, risk-based framework, compelling a strategic evolution of the MRM function.

Download PDF

For years, Model Risk Management (MRM) leaders have been challenged to manage growing model inventories with flat budgets while often being perceived as a bottleneck to innovation. The new SR 26-2 guidance from federal regulators directly addresses this reality. Rather than inventing new principles, SR 26-2 largely codifies and formalizes the best practices that mature MRM functions have begun adopting over the last decade, accelerating the strategic evolution of the MRM function.

For banks, this is a pivotal moment. Firms that embrace this transformation will build leaner, risk-driven, value-additive MRM functions that enable model velocity, reduce control costs, and reinforce trust with all stakeholders.

 

Dive into our thinking:

From Compliance to Value: Navigating the SR 26-2 Transformation

Download PDF

The New Era of Model Risk Management

For fifteen years, SR 11-7 provided the foundational discipline for MRM. However, its rigidity often required substantial validation capacity toward models that posed immaterial risk to organizations, development and validation testing that was designed to check sensitivity and stability testing boxes, and annual review processes designed to meet SR 11-7’s expectations for annual model periodic reviews.

SR 26-2 operationalizes the lessons learned and provides the regulatory backing to manage model risk like any other business risk: by assessing its magnitude and applying a proportionate level of control.

Thematic Changes and Strategic Implications

Key Theme

Strategic Implication for Model Risk Management

1. Prioritization and Efficiency

SR 26-2 provides two levers to focus resources:

1. It formalizes risk-based tiering and introduces an "immaterial" designation, providing an expedited path with limited oversight.

2. It narrows the model definition to exclude simple arithmetic and deterministic rules-based calculations as well as generative and agentic AI, allowing for aggressive inventory de-scoping.

What it means: The focus shifts from "validating everything" to a defensible portfolio management discipline. MRM leaders must use this mandate to rationalize inventories, invest in GenAI tooling to press on continuous monitoring, and focus expert validator capacity to the highest-risk models.

2. Pragmatism and Flexibility

The guidance introduces flexibility across the MRM lifecycle in three ways:

1. Validation Timing: It permits model use before validation is complete to meet an "urgent business need," provided strict compensating controls are in place.

2. Validation Scope: It explicitly links the rigor of all validation testing to the model's assigned risk tier, removing prescriptive requirements.

3. Periodic Review: It removes the requirement for MRM to periodically review models “at least annually”.

What it means: MRM can now operate as a agile business partner. This requires building robust governance for managing exceptions and tailoring validation plans based on risk, not on a generic checklist.

3. Clarified Scope, Governance, and Regulatory Stance

SR 26-2 refines the boundaries of MRM and clarifies the regulatory relationship:

1. Scope Boundaries: It sets a presumptive $30B asset threshold for applicability.

2. Effective Challenge: It shifts focus from rigid organizational design to the demonstrable "rigor and effectiveness" of the validation review itself.

3. Enforceability Nuance: It clarifies that criticism will arise when deviation from the guidance is found in association with evidence of an unsafe or unsound practice.

What it means: The clearer scope provides regulatory relief for smaller institutions. The focus on demonstrable challenge provides governance flexibility, while the clarification on enforceability implies criticism will not be issued for non-compliance with the guidance alone. Instead, criticism related to MRM will likely arise from broader reviews where a deviation from the guidance is found in association with other evidence of an unsafe or unsound practice.

Community Bank Insight

Banks with less than $30 billion in assets should not interpret the $30 billion threshold in SR 26-2 as categorical. Language on this topic is vague, such as “most relevant”, “typically”, and “generally”. Where the use of model risk materially contributes to a bank’s risk profile (through complexity or impact to business processes), they should still consider executing appropriate risk mitigation activity. 

The Business Case for Transformation

Adopting SR 26-2 is a strategic opportunity; not a compliance exercise. By embracing a risk-based framework, risk and modeling leaders can:

01
Reduce Control Costs:

De-scoping low-risk tools and tailoring validation scope directly reduces overall level of effort, freeing up expensive quantitative talent to focus on higher risk activities.

02
Increase Speed to Market:

The regulatory sanctioning of "provisional use" and a focus on what truly matters allows MRM to move from a gatekeeper to a strategic enabler of innovation.

03
Strengthen Defensibility:

A well-rationalized, risk-based framework provides a much stronger and more logical narrative for regulators and auditors than a one-size-fits-all approach.

What Institutions Should Do to Now

Adapting to SR 26-2 requires a proactive and structured approach. Organizations should not view this as a simple policy update but as an opportunity to re-engineer their MRM function for greater efficiency and effectiveness. The immediate priorities should be:

    1. Re-architect the Foundation: Enhance your existing tiering framework to ensure appropriate incorporation of concepts of Inherent Risk and Materiality, and formally define the "immaterial" category and its associated, light-touch controls.
    2. Rationalize the Inventory: Conduct a targeted, systematic review of the model inventory to apply the new, narrower model definition and de-scope non-model tools. Confirm controls and risk processes (e.g., EUC programs) that will absorb tools that are dropped out of the model inventory to ensure risk is not unmitigated.

      AI Risk Management Insight

      Banks should not interpret the exclusion of Generative and Agentic AI from MRM guidance to be permission to ignore these solutions. Risk mitigation activity performed at the bank should still be commensurate with the risk those tools pose to your institution. Regulators are preparing an RFI on this topic with guidance forthcoming and, in the meantime, banks should be able to evidence sufficient governance (such as the KPMG Trusted AI framework) and MRM may play a role in that framework. 

    3. Tailor Validation Scope: Translate SR 26-2’s statements on testing scope flexibility into a concrete tiering matrix covering the validation pillars. Adjust annual/periodic review practices to be risk-based and, where applicable, identify or design receiving controls for elements that should continue to exist outside of that process (e.g., review of ongoing monitoring outcomes). 
    4. Operationalize Flexibility: Build the formal governance processes and control frameworks required to manage provisional model use and other exceptions safely.
    5. Policy Revision: MRM policies, committee charters, and documentation templates to embed the new guidance and any changes to governance processes or control frameworks.
    6. Define Materiality: Proactively build the overarching narrative required to demonstrate how the transformed MRM framework enhances risk management and satisfies Safety & Soundness principles. The focus must support how more tailored oversight strengthens, rather than weakens, overall governance.

    This transformation requires a blend of strategic vision bolstered by technology expertise. Proactive institutions that move quickly will not only ensure compliance but also build a competitive advantage through a leaner, more agile, and value-driven model risk management function.

    How KPMG Can Support Your Transformation

    KPMG helps the world’s leading financial services institutions navigate complex regulatory change. We work with clients to operationalize the SR 26-2 evolution by delivering:

    • Inventory Rationalization: Our teams apply well-established methodologies and accelerators to help you rapidly and defensibly rationalize your model inventory, unlocking immediate capacity and cost savings.
    • MRM Target Operating Model Redesign: We work with you to enhance your tiering methodology to align with SR 26-2 and redesign your MRM operating model for a more efficient, risk-based future.
    • SR 26-2 Readiness Assessment: We provide independent assurance through mock exams and gap analyses to give your board and senior management confidence that your updated framework is regulator-ready while identifying actionable recommendations for enhancement.

    Drawing on deep financial services experience, we help our clients build a modern operating model to reduce control costs, accelerate time-to-value, and manage risk with confidence.

    Explore more

    Insight
    Webcast Replay Webcast Upcoming Listen Now From The Web

    AI in model risk

    A thought leadership series on AI-driven risk management, featuring insights on classification, validation, and monitoring of advanced models.

    Read more
    Insight
    Webcast Replay Webcast Upcoming Listen Now From The Web

    A modernized approach to model transformation

    Read more
    Sustaining model risk management excellence amid deregulations
    Insight
    Webcast Replay Webcast Upcoming Listen Now From The Web

    Sustaining model risk management excellence amid deregulations

    Financial institutions respond to a changing regulatory landscape

    Read more

    Meet our team

    Image of Adam Levy
    Adam Levy
    Principal, Modeling & Valuation, KPMG LLP
    Read bio
    Image of Mark J Wickware
    Mark J Wickware
    Advisory Managing Director, Financial Services, KPMG LLP
    Read bio
    Image of Kevin M Lowery
    Kevin M Lowery
    Managing Director, Advisory, Regulatory & Compliance, KPMG US
    Read bio
    Image of CJ Dean
    CJ Dean
    Director, Advisory | FS Regulatory & Compliance Services, KPMG US
    Image of Jacob Armstrong
    Jacob Armstrong
    Director Advisory, Regulatory & Compliance, KPMG US
    Read bio
    Image of Adam Levy
    Adam Levy
    Principal, Modeling & Valuation, KPMG LLP
    Read bio
    Image of Mark J Wickware
    Mark J Wickware
    Advisory Managing Director, Financial Services, KPMG LLP
    Read bio
    Image of Kevin M Lowery
    Kevin M Lowery
    Managing Director, Advisory, Regulatory & Compliance, KPMG US
    Read bio
    Image of CJ Dean
    CJ Dean
    Director, Advisory | FS Regulatory & Compliance Services, KPMG US
    Image of Jacob Armstrong
    Jacob Armstrong
    Director Advisory, Regulatory & Compliance, KPMG US
    Read bio

    KPMG. Make the Difference.


    Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

    The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

    The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

    © 2026 KPMG LLP, a Delaware limited liability partnership, and its subsidiaries are part of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

    For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

    Thank you!

    Thank you for contacting KPMG. We will respond to you as soon as possible.

    Contact KPMG

    Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.
    All fields with an asterisk (*) are required.

    By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

    An error occurred.

    Job seekers

    Visit our careers section or search our jobs database.

    Search now!

    Submit RFP

    Use the RFP submission form to detail the services KPMG can help assist you with.

    Submit

    Office locations

    View locations

    International hotline

    You can confidentially report concerns to the KPMG International hotline

    Learn more

    Press contacts

    Do you need to speak with our Press Office? Here's how to get in touch.

    Contact

    Headline