AI/ML Model Risk Management Policy (Financial Services)
A ready-to-use template — fill in the bracketed placeholders and adopt it in your organisation.
AI/ML Model Risk Management Policy
| Field | Detail |
|---|---|
| Organisation | [Organisation Name] |
| Document type | Policy — approved, mandatory |
| Framework basis | SR 26-2 · OSFI E-23 · PRA SS1/23 · MAS · Treasury/CRI FS AI RMF |
| Owner | [Policy owner — e.g. AI Governance Lead] |
| Approved by | [Accountable executive / Board] |
| Version / status | v1.0 — DRAFT for adoption |
| Effective date | [Date] |
| Next review | [Date — at least annually] |
| Classification | Internal |
| Prepared with | autogovern.io — AI governance & risk templates |
1. Purpose
This policy defines how [Organisation Name] manages model risk — the risk of adverse consequences from incorrect or misused model outputs — across all models, expressly including AI/ML models, over their full lifecycle. It aligns with SR 26-2 (US), OSFI E-23 (Canada), PRA SS1/23 (UK) and MAS expectations, and operationalises the Treasury/CRI FS AI RMF.
2. Scope
Applies to every model used by [Organisation Name] — quantitative methods that turn inputs into estimates/decisions — used for credit, pricing, capital, AML/fraud, trading, or servicing, whether built in-house, vendor-supplied, or embedded. Supervised ML is in scope. Generative and agentic AI are governed under the AI Governance & AI Risk Management policies and this policy where they function as models; note SR 26-2 currently excludes GenAI/agentic from its formal scope pending an interagency RFI.
3. Definitions
| Term | Meaning |
|---|---|
| Model | A quantitative/algorithmic method that processes inputs into estimates, scores or decisions. |
| Model risk | Risk of adverse consequences from incorrect or misused model output. |
| Materiality / tier | The model’s risk rating driving validation intensity and oversight. |
| Validation | Independent assessment of whether a model is sound and fit for purpose. |
| Effective challenge | Critical, independent review with the competence, incentive and authority to change a model. |
| Ongoing monitoring | Continuous performance, stability and drift tracking after deployment. |
4. Governance — three lines of defence
| Line | Owner | Model-risk role |
|---|---|---|
| 1st line | Model owners / developers | Develop, document, use and monitor models; own the risk. |
| 2nd line | Model Risk Management / independent validation | Set standards, validate, effectively challenge, maintain the inventory. |
| 3rd line | Internal Audit | Assure the overall MRM framework. |
The board / risk committee owns model-risk appetite and receives regular reporting on material models and validation findings.
5. Model inventory & tiering
Maintain a complete model inventory; assign each model a materiality tier (e.g. High/Medium/Low) from its financial, regulatory and reputational impact. Validation frequency, documentation depth and oversight scale with the tier.
| Model | Purpose | Owner | AI/ML? | Tier | Last validation | Status |
|---|---|---|---|---|---|---|
| [model] | [credit/pricing/AML/…] | [owner] | [yes/no] | [H/M/L] | [date] | [dev/live/retired] |
6. Model lifecycle & stage gates
| Stage | Key activity | Gate |
|---|---|---|
| Development | Sound design, data quality/lineage, documentation an independent party can reconstruct | Development evidence complete |
| Validation | Independent validation proportionate to tier | Validation passed / conditions logged |
| Approval | Effective challenge; owner + MRM sign-off | Approved for use (tiered authority) |
| Monitoring | Ongoing performance, drift & override tracking | Monitoring live; thresholds set |
| Revalidation | On material change, breach, or schedule | Revalidation completed |
| Retirement | Decommission safely; retain records | Retirement approved |
7. Independent validation
Validation, independent of development, covers: (a) conceptual soundness (design, assumptions, methodology); (b) ongoing monitoring & process verification (incl. benchmarking); and (c) outcomes analysis / back-testing. For AI/ML models, additionally assess data lineage, feature stability, overfitting, explainability/interpretability, and drift. Vendor and third-party models are validated too — outsourcing the model does not outsource the model risk.
8. AI/ML-specific controls
- Explainability sufficient for the use case (reason codes for credit; documented interpretability for others).
- Drift & performance monitoring with thresholds and a retraining/circuit-breaker playbook.
- Bias/fairness testing where the model affects people (see the Fair Lending procedure).
- Data governance — provenance, quality, representativeness.
- Security — protection against data poisoning and model theft.
Regulatory & framework mapping (financial services)
| Instrument | Jurisdiction | What this policy supports |
|---|---|---|
| SR 26-2 / OCC 2026-13 / FDIC (Apr 2026) | US banks (>$30B) | Model inventory, tiering, independent validation, governance (supervised ML in scope; GenAI/agentic out of scope) |
| Treasury / CRI FS AI RMF (Feb 2026) | US financial services | ~230 control objectives crosswalked to NIST AI RMF & SR 26-2 |
| OSFI Guideline E-23 (eff. 2027) | Canada FRFIs | Lifecycle model risk incl. AI/ML |
| PRA SS1/23 | UK banks | Five model-risk principles |
| MAS FEAT + AI MRM paper | Singapore FIs | AI inventory, materiality, validation |
| ECOA/Reg B §1002.9, FCRA | US consumer credit | Adverse-action reason codes; fair lending |
| NAIC Model Bulletin, NY DFS CL7, CO SB 21-169 | US insurance | AIS Program; proxy/bias testing |
| EU AI Act Annex III 5(b)/5(c) + DORA; GDPR Art. 22 | EU | High-risk credit/insurance AI; ICT resilience; automated decisions |
| ISO/IEC 42001 & 23894; COSO ERM + Three Lines | Global | Management system, AI risk, governance backbone |
10. Review
MRM standards and the inventory are reviewed at least annually and after any material regulatory change or model incident.
Appendix A — Validation report template
| Section | Content |
|---|---|
| Model & tier | [name / H/M/L] |
| Conceptual soundness | [findings] |
| Data quality & lineage | [findings] |
| Outcomes analysis / back-testing | [results] |
| Ongoing monitoring plan | [metrics & thresholds] |
| Bias / explainability (AI/ML) | [findings] |
| Limitations & conditions | [list] |
| Validator (independent) & date | [name / date] |
| Effective-challenge sign-off | [name / date] |
Document control & approval
| Version | Date | Author | Approved by | Summary of change |
|---|---|---|---|---|
| 1.0 | [Date] | [Author] | [Approver] | Initial adoption |
Sign-off
- Policy owner: __________________________ Signature: ______________ Date: __________
- Accountable executive: __________________________ Signature: ______________ Date: __________
- Next review due: __________
This template was generated by autogovern.io as a professional starting point. Review and adapt it to your organisation, systems, sector and legal advice before adoption. It is an educational aid, not legal advice.