Bank examiners press lenders to explain AI credit decisions

The OCC, Federal Reserve, and FDIC jointly issued revised model risk managementModel Risk ManagementControls for automated decision systems.Key ConceptModel Risk ManagementControls for automated decision systems.Open conceptBookmark guidance on April 17, 2026, replacing 15-year-old rules from OCC Bulletin 2011-12 with a principles-based framework applicable to banks with over $30 billion in total assets. The new guidance explicitly carves out generative AI and agentic AI, acknowledging that existing rules are inadequate for the technology.

Federal Reserve Vice Chair for Supervision Michelle Bowman delivered a major speech on AI in the financial system on May 1, 2026, at the FSOC AI Roundtable on Cybersecurity and Risk Management. Bowman stated that AI evolution requires flexible supervisory guidance and that regulators must support banks in implementing AI tools safely and efficiently.

The three agencies announced plans to issue a request for information on AI model risk management in the near future, covering generative AI, agentic AI, and AI-based models. The planned RFI signals that binding AI-specific rules for banks do not yet exist and that industry comment is the next procedural step before rulemaking.

Reuters reported on June 12, 2026 that bank examiners are actively questioning financial firms about data governance, third-party vendor risk, kill switches, contingency plans, lending algorithms, and sanctions-screening systems. The scrutiny is conducted through existing bank supervision authority under the Bank Holding Company Act and the National Bank Act rather than through any new AI statute.

Bank AI supervisory questions now cover lending discrimination risk under the Equal Credit Opportunity Act, which prohibits AI models from producing racially disparate credit outcomes even when race is not an explicit input variable. The OCC and CFPB both have authority to examine consumer lending models for discriminatory effect.

The OCC established an Office of Financial Technology and launched an agencywide initiative tracking generative AI pilots at supervised banks. As of mid-2026, the office is cataloguing which banks are deploying large-language models for customer service, fraud detection, and compliance functions before formal guidance exists.

Sanctions-screening AI carries compliance risk under the Bank Secrecy Act and OFAC rules: a model that incorrectly clears a sanctioned entity, or wrongly flags a legitimate customer, can expose a bank to federal enforcement. The OCC and Treasury's Financial Crimes Enforcement Network both have jurisdiction over anti-money-laundering and sanctions compliance systems.

American Banker reported in May 2026 that the OCC's report on key risks signals that AI governance guidance is on the horizon, and that banks are navigating what it called "dual-edged risks" from AI: operational efficiency gains on one side, model failure and adversarial exploitation on the other.

The Federal Reserve's SR Letter 26-2, released April 17, 2026, sets out the joint revised guidance on model risk management. The letter applies to state member banks supervised by the Fed and offers a risk-proportionate framework under which community banks face lighter requirements than large complex institutions.

Industry law firms including Sullivan and Cromwell noted that the April 2026 guidance replaced the comprehensive prior approach with a risk-based approach, meaning large banks must now develop their own model governance frameworks aligned to principles rather than to prescriptive checklists. Critics argue this creates inconsistency across institutions.