Free Consultation

AI/ML Model Risk Management Policy (Financial Services)

A ready-to-use template — fill in the bracketed placeholders and adopt it in your organisation.

AI/ML Model Risk Management Policy

Field Detail
Organisation [Organisation Name]
Document type Policy — approved, mandatory
Framework basis SR 26-2 · OSFI E-23 · PRA SS1/23 · MAS · Treasury/CRI FS AI RMF
Owner [Policy owner — e.g. AI Governance Lead]
Approved by [Accountable executive / Board]
Version / status v1.0 — DRAFT for adoption
Effective date [Date]
Next review [Date — at least annually]
Classification Internal
Prepared with autogovern.io — AI governance & risk templates

1. Purpose

This policy defines how [Organisation Name] manages model risk — the risk of adverse consequences from incorrect or misused model outputs — across all models, expressly including AI/ML models, over their full lifecycle. It aligns with SR 26-2 (US), OSFI E-23 (Canada), PRA SS1/23 (UK) and MAS expectations, and operationalises the Treasury/CRI FS AI RMF.

2. Scope

Applies to every model used by [Organisation Name] — quantitative methods that turn inputs into estimates/decisions — used for credit, pricing, capital, AML/fraud, trading, or servicing, whether built in-house, vendor-supplied, or embedded. Supervised ML is in scope. Generative and agentic AI are governed under the AI Governance & AI Risk Management policies and this policy where they function as models; note SR 26-2 currently excludes GenAI/agentic from its formal scope pending an interagency RFI.

3. Definitions

Term Meaning
Model A quantitative/algorithmic method that processes inputs into estimates, scores or decisions.
Model risk Risk of adverse consequences from incorrect or misused model output.
Materiality / tier The model’s risk rating driving validation intensity and oversight.
Validation Independent assessment of whether a model is sound and fit for purpose.
Effective challenge Critical, independent review with the competence, incentive and authority to change a model.
Ongoing monitoring Continuous performance, stability and drift tracking after deployment.

4. Governance — three lines of defence

Line Owner Model-risk role
1st line Model owners / developers Develop, document, use and monitor models; own the risk.
2nd line Model Risk Management / independent validation Set standards, validate, effectively challenge, maintain the inventory.
3rd line Internal Audit Assure the overall MRM framework.

The board / risk committee owns model-risk appetite and receives regular reporting on material models and validation findings.

5. Model inventory & tiering

Maintain a complete model inventory; assign each model a materiality tier (e.g. High/Medium/Low) from its financial, regulatory and reputational impact. Validation frequency, documentation depth and oversight scale with the tier.

Model Purpose Owner AI/ML? Tier Last validation Status
[model] [credit/pricing/AML/…] [owner] [yes/no] [H/M/L] [date] [dev/live/retired]

6. Model lifecycle & stage gates

Stage Key activity Gate
Development Sound design, data quality/lineage, documentation an independent party can reconstruct Development evidence complete
Validation Independent validation proportionate to tier Validation passed / conditions logged
Approval Effective challenge; owner + MRM sign-off Approved for use (tiered authority)
Monitoring Ongoing performance, drift & override tracking Monitoring live; thresholds set
Revalidation On material change, breach, or schedule Revalidation completed
Retirement Decommission safely; retain records Retirement approved

7. Independent validation

Validation, independent of development, covers: (a) conceptual soundness (design, assumptions, methodology); (b) ongoing monitoring & process verification (incl. benchmarking); and (c) outcomes analysis / back-testing. For AI/ML models, additionally assess data lineage, feature stability, overfitting, explainability/interpretability, and drift. Vendor and third-party models are validated too — outsourcing the model does not outsource the model risk.

8. AI/ML-specific controls

  • Explainability sufficient for the use case (reason codes for credit; documented interpretability for others).
  • Drift & performance monitoring with thresholds and a retraining/circuit-breaker playbook.
  • Bias/fairness testing where the model affects people (see the Fair Lending procedure).
  • Data governance — provenance, quality, representativeness.
  • Security — protection against data poisoning and model theft.

Regulatory & framework mapping (financial services)

Instrument Jurisdiction What this policy supports
SR 26-2 / OCC 2026-13 / FDIC (Apr 2026) US banks (>$30B) Model inventory, tiering, independent validation, governance (supervised ML in scope; GenAI/agentic out of scope)
Treasury / CRI FS AI RMF (Feb 2026) US financial services ~230 control objectives crosswalked to NIST AI RMF & SR 26-2
OSFI Guideline E-23 (eff. 2027) Canada FRFIs Lifecycle model risk incl. AI/ML
PRA SS1/23 UK banks Five model-risk principles
MAS FEAT + AI MRM paper Singapore FIs AI inventory, materiality, validation
ECOA/Reg B §1002.9, FCRA US consumer credit Adverse-action reason codes; fair lending
NAIC Model Bulletin, NY DFS CL7, CO SB 21-169 US insurance AIS Program; proxy/bias testing
EU AI Act Annex III 5(b)/5(c) + DORA; GDPR Art. 22 EU High-risk credit/insurance AI; ICT resilience; automated decisions
ISO/IEC 42001 & 23894; COSO ERM + Three Lines Global Management system, AI risk, governance backbone

10. Review

MRM standards and the inventory are reviewed at least annually and after any material regulatory change or model incident.

Appendix A — Validation report template

Section Content
Model & tier [name / H/M/L]
Conceptual soundness [findings]
Data quality & lineage [findings]
Outcomes analysis / back-testing [results]
Ongoing monitoring plan [metrics & thresholds]
Bias / explainability (AI/ML) [findings]
Limitations & conditions [list]
Validator (independent) & date [name / date]
Effective-challenge sign-off [name / date]

Document control & approval

Version Date Author Approved by Summary of change
1.0 [Date] [Author] [Approver] Initial adoption

Sign-off

  • Policy owner: __________________________ Signature: ______________ Date: __________
  • Accountable executive: __________________________ Signature: ______________ Date: __________
  • Next review due: __________

This template was generated by autogovern.io as a professional starting point. Review and adapt it to your organisation, systems, sector and legal advice before adoption. It is an educational aid, not legal advice.