A Guide to Understanding Model Risk Management

Introduction

In 2012, JPMorgan Chase's Chief Investment Office implemented a new Value-at-Risk model that reduced reported risk exposure by nearly 50%. The result wasn't lower risk — it was hidden risk. Losses eventually exceeded $6 billion, and the OCC cited inadequate model development, implementation, and governance as core failures. Total regulatory penalties reached roughly $920 million.

The London Whale became the defining case study in what happens when model governance breaks down at scale.

This guide is written for fintech companies, crypto firms, embedded finance startups, and BaaS banks that rely on quantitative models to drive decisions. That includes credit scoring, fraud detection, AML transaction monitoring, and onboarding risk scoring.

If a model informs a business-critical decision, model risk management (MRM) applies to you.

What follows covers: what MRM is, where model risk comes from, the six-stage MRM lifecycle, governance structures, the regulations you need to know, and how to build a proportionate program without hiring a full-time team.

TLDR

  • MRM is the structured practice of identifying, measuring, and controlling risks from models used in decision-making
  • Model risk stems from bad data, flawed assumptions, implementation errors, and misuse — any one can trigger capital miscalculation, flawed credit decisions, or regulatory enforcement
  • Six iterative stages drive effective MRM: planning, development, validation, implementation, monitoring, and adjustment
  • SR 11-7 sets the US regulatory baseline; PRA SS1/23, EBA guidelines, and ECB guidance extend expectations globally
  • Seed-to-Series B fintechs can build MRM capability through fractional compliance leadership, skipping the cost of a full-time hire

What Is Model Risk Management (And Why Does It Matter)?

Defining the Terms

SR 11-7, the Federal Reserve/OCC's 2011 supervisory guidance, defines a model as a quantitative method, system, or approach that uses statistical, economic, financial, or mathematical theories to process input data into quantitative estimates. That covers everything from a logistic regression credit scorecard to a neural network fraud detection system.

Model risk, per the same guidance, is the potential for adverse consequences from decisions based on incorrect or misused model outputs.

Model risk management is the structured, ongoing program that identifies, measures, and controls those risks across a model's entire lifecycle — from the first design decision to eventual decommission.

Why It Matters Beyond Big Banks

Financial institutions use models across a wide range of critical functions:

  • Credit decisioning and underwriting
  • Fraud detection and prevention
  • AML/transaction monitoring
  • Capital adequacy calculations
  • Product pricing

When those models fail, the consequences are direct: financial loss, regulatory sanction, or both.

The London Whale is the textbook case. Zillow's algorithmic home-buying program offers an equally instructive example outside traditional banking: the company reported $407.9 million in inventory write-downs in 2021 after its forecasting model systematically overpriced home purchases. No banking license required for that to qualify as a model governance failure.

For fintechs, the pressure is direct. Sponsor banks now conduct formal due diligence on their fintech partners' risk controls.

If your credit model or fraud engine can't be explained, documented, or validated, it will surface as a problem — in regulatory examinations and in every sponsor bank conversation you have.

What Causes Model Risk? Common Sources to Watch

Model risk doesn't have a single origin. SR 11-7 identifies two primary sources: errors in a model or its inputs, and incorrect or inappropriate model use. In practice, these play out in three distinct ways.

Data-Related Risk

Models are only as good as the data they're trained and run on. Erroneous, outdated, incomplete, or biased input data distorts outputs — often in ways that aren't immediately visible.

For AI/ML models trained on historical data, this is especially acute. Federal Reserve Governor Brainard highlighted that models trained on data reflecting historical racial bias can amplify credit access gaps. With an estimated 26 million credit-invisible Americans, what a model "learns" from the past isn't always appropriate for the present.

Methodological and Assumption Risk

Assumption failure drove many of the 2008 financial crisis losses. Firms assumed housing prices across mortgage portfolios were uncorrelated. They weren't. The Senior Supervisors Group's post-mortem found that risk measures at major financial firms failed to capture severe market stress, liquidity risk, and correlated exposures.

Wrong variable selection, an ill-suited modeling approach, or a flawed core assumption can render a model systematically inaccurate — even when the underlying code is sound.

Implementation and Misuse Risk

A technically sound model can still produce harmful outcomes if:

  • It contains programming or calculation errors
  • It's applied in a context it wasn't designed for
  • Its outputs are misinterpreted by users
  • It's modified without proper re-validation

This last point catches fast-moving fintech teams frequently. Under pressure to ship, models get deployed into new products or markets without formal review. The underlying logic may be fine — the application isn't.

All three categories — data, methodology, and implementation — can occur independently or compound each other, which is why effective model risk management addresses each as a distinct control point.

Three sources of model risk data methodology and implementation breakdown infographic

The Model Risk Management Lifecycle: 6 Key Steps

MRM isn't a one-time approval process. It's a continuous loop where each phase informs the next. SR 11-7 frames it around development, implementation, use, and ongoing validation — in practice, most robust programs organize this into six stages.

1. Model Planning

Before any code is written, define the model's scope, intended use, and the decisions it will inform. Flag potential risks upfront. This stage sets the risk-aware foundation for everything that follows and prevents scope creep from creating unvalidated applications later.

2. Model Development

Models are built according to planning specifications: selecting appropriate data sources, methodologies, and algorithms. Documentation is a required output here — not optional, not post-hoc. Without it, independent validation is impossible and future audits become guesswork.

3. Model Validation

Validation is the independent challenge of a model's soundness. SR 11-7 calls this an essential element of MRM and requires it to be conducted by objective, informed parties — typically a dedicated internal validation team or a third-party firm with no stake in the model's outcome.

Validation typically includes:

  • Quantitative methods: backtesting, stress testing, sensitivity analysis, challenger models
  • Qualitative assessment: fitness for purpose, regulatory alignment, documentation review
  • Review of conceptual soundness and data inputs

4. Model Implementation

Deployment integrates the validated model into operational systems. Controls at this stage should address:

  • Access and permissions: who can use the model and under what conditions
  • Output presentation: how results are surfaced to decision-makers
  • Override processes: documented procedures for when human judgment supersedes model output

A model that performs well in testing can still be misused at the operational level.

5. Model Monitoring

Ongoing monitoring tracks live model performance against real-world outcomes. Watch for:

  • Model drift: gradual degradation in predictive accuracy
  • Data shifts: changes in input data distributions
  • Environmental changes: new regulations, market shifts, or customer demographic changes

Regular reporting to risk committees and senior stakeholders ensures performance issues trigger governance responses — not just technical fixes.

6. Model Changes and Adjustments

When monitoring flags degraded performance — or when the business context changes materially — models must be updated and re-validated. SR 11-7 is clear: validation frequency should be commensurate with model risk, and any material change to data, assumptions, or use warrants review. Skipping re-validation after a material change is one of the most common MRM failures regulators cite in enforcement actions.

Six-stage model risk management lifecycle continuous loop process flow infographic

Governance and the Three Lines of Defense in MRM

Strong MRM doesn't rest on one person or one team. It requires a structured governance model where accountability is distributed and independent oversight is real.

The Three Lines

The IIA's 2020 Three Lines Model maps cleanly onto MRM:

Line Who MRM Role
First Business units, model owners Own the model, its use, and primary risk management
Second Model risk managers, ERM, compliance Independent oversight, framework ownership, credible challenge
Third Internal audit Independent assurance over both first and second lines

Three lines of defense model risk management governance structure roles infographic

SR 11-7 uses the language of "effective challenge" — critical analysis by objective, informed parties who can identify model limitations and push for appropriate changes. That challenge is structurally impossible if validators report to the same people who built the model.

Tone from the Top

Boards approve MRM policy, and senior leadership must visibly support the risk culture it requires. Credible challenge from risk functions needs to be welcomed, not dismissed as friction.

The London Whale case illustrates what happens when that culture breaks down. The governance failure wasn't purely technical — model changes that reduced reported risk received insufficient scrutiny because the cultural environment didn't demand it.

The Model Inventory

A centralized model inventory is the operational foundation of MRM governance. It should capture:

  • Model name, purpose, and owner
  • Risk tier classification
  • Development history and version control
  • Current validation status

Without the inventory, you can't allocate oversight proportionally, and you'll inevitably miss models that need attention.

The CMRO Function

The Chief Model Risk Officer — or equivalent — should sit independent of revenue-generating lines. In large banks, this role typically reports to the CRO. For smaller fintechs, this oversight function can live within a broader compliance or risk leadership role, provided independence from the first line is preserved. Fraxtional's CRO advisory service is structured precisely for this need: second-line oversight with board-level reporting, kept structurally separate from business operations.

Model Risk Management Regulations Fintech and Crypto Firms Must Know

SR 11-7: The US Baseline

SR 11-7 was issued in 2011 by the Federal Reserve and OCC for banking organizations. It established that model risk should be managed like any other material risk and introduced the concepts of effective challenge, model inventory, and governance. Compliance is expected to be commensurate with an institution's size, complexity, and extent of model use.

While SR 11-7 technically targets supervised banks, its principles reach fintechs directly through sponsor bank relationships. When a BaaS bank conducts due diligence on a fintech partner, SR 11-7-aligned expectations are usually the benchmark — whether or not the fintech is directly regulated.

AI/ML: The Emerging Compliance Layer

Regulators aren't waiting for the legislative process to address algorithmic models. Key developments:

  • FHFA AB 2022-02: Addresses AI/ML model risk at GSEs, requiring explainability, fairness, monitoring, and documentation
  • CFPB Circular 2022-03: Creditors using complex algorithms must still provide specific adverse-action reasons under ECOA — "the model decided" is not an acceptable explanation
  • PRA SS1/23: The UK's Prudential Regulation Authority set five-principle model risk expectations for banks in 2023, covering identification, governance, development, validation, and mitigants
  • EBA and ECB: The EBA's reports on big data, advanced analytics, and ML for IRB models, plus the ECB's 2024 internal models guide, extend similar governance expectations across the EU

Global model risk regulatory framework comparison across US UK EU jurisdictions infographic

For fintechs operating across Fraxtional's service geographies — US, UK, Canada, and EU — the regulatory surface area is wide. The common thread across all jurisdictions is governance, documentation, explainability, and independent validation.

BaaS and the Indirect Enforcement Channel

Enforcement actions targeting sponsor banks are reshaping expectations for their fintech partners. The Federal Reserve's 2024 consent order against Evolve Bank required reporting of risk exposures for each fintech partner, product, and program. OCC's 2023 third-party guidance applies to all banks with third-party relationships.

Neither action is an explicit MRM enforcement order. Both make clear that sponsor banks are expected to extend bank-grade controls to their fintech partners — and that fintechs without documented MRM programs are a liability, not just a compliance gap.

Building an MRM Program as a Fintech or Startup

Most early-stage fintechs aren't starting from zero — they're starting from undocumented. Models exist; governance doesn't. Here's how to build proportionate MRM without over-engineering it.

Step 1: Build Your Model Inventory

Start here. You cannot manage risk you haven't identified. A basic inventory should capture:

  • Every model in use, including third-party and vendor tools
  • The business decision each model informs
  • Who owns it
  • When it was last reviewed or validated

Don't overlook vendor models — your AML transaction monitoring system and credit scoring tools from third parties carry model risk too.

Step 2: Classify by Risk Tier

Not every model warrants the same oversight. Focus validation resources on high-impact models:

  • Credit decisioning
  • Fraud detection
  • AML/transaction monitoring
  • Capital or liquidity models

Lower-risk tools (reporting dashboards, internal analytics) can have lighter governance — documented but not formally validated on an annual cycle.

Step 3: Assign Ownership and Document

Each model needs an owner accountable for its use and performance. Documentation should cover:

  • Intended use and data inputs
  • Methodology and known limitations
  • Validation history and review dates

This is exactly what sponsor banks and regulators ask for first.

Step 4: Establish Independent Oversight

SR 11-7's proportionality principle applies directly to startups: governance should be commensurate with model risk. For a seed-to-Series B fintech without an in-house CRO or model risk function, that doesn't mean building a full validation team. It means qualified, independent oversight over your highest-risk models.

Fractional risk leadership fills this gap practically. Fraxtional's Fractional CRO engagements deliver second-line oversight, risk framework development, and board-level reporting at a fraction of a full-time CRO's $25,000+/month cost. For fintechs in sponsor bank due diligence or investor risk reviews, documented independent governance can be what moves a deal forward.

Fractional CRO advisory service delivering independent model risk oversight and board reporting

Frequently Asked Questions

What is model risk management?

MRM is the structured practice of identifying, measuring, and controlling risks that arise when organizations rely on quantitative models to make decisions. Its goal is to ensure models are fit for purpose and that potential adverse outcomes stay within acceptable limits.

What are the steps of the model risk management lifecycle?

Most robust programs follow six stages: planning, development, validation, implementation, monitoring, and adjustment. These stages are continuous and iterative, not sequential checkboxes to tick off once and move on.

What is SR 11-7 and why does it matter for fintech companies?

SR 11-7 is the US Federal Reserve/OCC's 2011 supervisory guidance on model risk management, and it remains the foundational regulatory standard for model governance. Fintechs working with sponsor banks or in regulated markets are routinely required to align with its principles as part of partner due diligence.

What is the difference between model validation and model monitoring?

Validation is a point-in-time independent assessment of a model's soundness before or after deployment. Monitoring is the ongoing process of tracking live model performance to detect drift, data changes, or emerging issues over time. Both are required — neither replaces the other.

Who is responsible for model risk management in an organization?

MRM responsibility spans the three lines: model owners and business units (first line), model risk managers and compliance (second line), and internal audit (third line). Ultimate accountability sits with senior leadership and the board.

How does AI and machine learning affect model risk?

AI/ML models introduce additional risk through complexity, opacity, and a tendency to overfit historical patterns. They require enhanced focus on explainability, bias detection, and data quality, plus more frequent monitoring than traditional statistical models. Regulators across the US, UK, and EU are actively setting expectations on each of these areas.