Statements, Bulletins, and White Papers from the OCC, FDIC, and Federal Reserve
Date compiled: July 9, 2026
Scope: This report compiles publicly available statements, bulletins, speeches, and interagency guidance issued by the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System addressing the use of artificial intelligence and machine learning in bank credit and commercial underwriting. Sources are grouped by issuing agency, with joint/interagency issuances listed in their own section. Each entry includes the source, date, a direct link, and a summary focused on: (1) objections or concerns raised, (2) factors that draw closer examiner scrutiny, and (3) commentary on acceptable use cases.
Executive Summary
No single OCC, FDIC, or Federal Reserve rule prohibits or specifically restricts the use of AI in commercial underwriting. Instead, the agencies regulate AI indirectly, through existing safety-and-soundness authority, model risk management (MRM) guidance, third-party/vendor risk management guidance, and consumer protection law (principally the Equal Credit Opportunity Act/Regulation B). This has been true since the agencies' first coordinated look at the issue (the 2021 interagency Request for Information on AI) and remains true following the most significant recent development: the April 17, 2026 issuance of revised, joint Model Risk Management guidance (Federal Reserve SR 26-2, OCC Bulletin 2026-13, and the corresponding FDIC issuance), which replaces the 15-year-old SR 11-7/OCC 2011-12 framework.
Recurring objections across the record center on four themes: (1) explainability: regulators worry that complex or “black box” AI/ML approaches cannot be understood well enough by bank staff to satisfy conceptual-soundness and independent-review expectations, and may not support the specific, individualized reasons required for adverse action notices under ECOA/Regulation B; (2) data and bias risk: AI trained on incomplete, non-representative, or biased data can perpetuate or amplify discriminatory outcomes, a concern GAO has tied directly to automated underwriting; (3) third-party/vendor dependence: community and mid-size banks disproportionately rely on vendor-built AI models, and regulators expect banks to validate and understand those models even when the underlying code or training data is proprietary; and (4) model drift/dynamic updating: AI that continues to learn after deployment complicates ongoing validation and monitoring.
Examiners are directed to scale scrutiny to “materiality,” a function of a model's exposure (how much of the loan portfolio or how many decisions it touches) and its purpose (credit underwriting is explicitly cited as a higher-materiality use, alongside stress testing and fraud detection). Under the new SR 26-2/Bulletin 2026-13 framework, guidance is expected to be most relevant to banking organizations over $30 billion in assets, but smaller banks are told they may still draw scrutiny if their AI use is prevalent, complex, or extends beyond traditional community-bank activities. Generative and agentic AI are explicitly excluded from the new MRM guidance's scope as “novel and rapidly evolving,” but the agencies and Vice Chair Bowman have been clear this is not deregulation: banks are still expected to govern those tools through compliance management, operational risk, third-party oversight, cybersecurity, privacy, fair lending, and board-level governance channels.
On acceptable use, the tone across recent speeches and reports is notably more permissive than in 2021. Federal Reserve Governor Barr (April 2025) identified document analysis to improve credit underwriting and fraud detection as areas where generative AI has genuine promise. The OCC's Fall 2025 Semiannual Risk Perspective describes banks “of all sizes” deploying sophisticated models to improve credit underwriting, detect fraud in real time, and personalize customer experience as a legitimate strategic opportunity, provided governance keeps pace. Vice Chair Bowman's May 2026 remarks explicitly warn supervisors against letting guidance “hinder access to and implementation of innovation,” particularly for smaller banks. Separately, the OCC's fair lending supervisory process no longer examines for disparate impact liability as of mid-2025 (OCC Bulletin 2025-16), which narrows one historical avenue of AI-related fair lending scrutiny, though disparate treatment, ECOA adverse-action, and safety-and-soundness/model risk expectations remain fully in force.
Federal Reserve (Board of Governors)
SR 26-2: Revised Guidance on Model Risk Management
Issuing Agency: Board of Governors of the Federal Reserve System (jointly with OCC and FDIC)
Date: April 17, 2026
Link: https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm
This supervisory letter transmits new interagency Model Risk Management (MRM) guidance that supersedes SR 11-7 (2011) and SR 21-8 (2021), the foundational MRM framework banks have used for fifteen years. It is jointly issued with the OCC and FDIC (see the Joint/Interagency section below for the full text summary) and is the single most consequential recent action touching AI-based underwriting models.
Objections/concerns addressed: the guidance responds to “supervisory experience and industry feedback” accumulated since 2011, implicitly acknowledging that examiners had stretched the old guidance to cover AI use cases it was not written for.
Examiner trigger: applicability is explicitly tied to model “materiality” (exposure × purpose) rather than a flat asset-size cutoff; the letter states the guidance is “expected to be most relevant to banking organizations with over $30 billion in total assets,” but leaves the door open to closer review of smaller banks with complex or prevalent model use.
Acceptable use commentary: generative and agentic AI are carved out of scope as “novel and rapidly evolving,” while traditional statistical/quantitative models and non-generative, non-agentic AI (the category most commercial credit-scoring and underwriting models fall into) remain squarely inside the guidance and subject to its development, validation, and governance expectations.
Speech: “Artificial Intelligence in the Financial System,” Vice Chair for Supervision Michelle W. Bowman
Issuing Agency: Board of Governors of the Federal Reserve System
Date: Delivered May 1, 2026
Link: https://www.federalreserve.gov/newsevents/speech/bowman20260501a.htm
Delivered at the Financial Stability Oversight Council's AI Series Roundtable on Cybersecurity and Risk Management, this speech is the clearest recent statement of the Fed's supervisory philosophy on AI.
Objections/concerns: Bowman frames third-party/vendor AI risk-management expectations and the scope of model risk management as open questions supervisors are still working through; she also flags that guidance historically “expanded... beyond its original purpose” in ways that need correcting.
Examiner trigger: Bowman states supervisors assess AI risk based on “the specifics regarding the use case for its deployment”: specifically (1) whether it is used for material tasks, (2) whether it is broadly accessible to employees versus limited, and (3) whether its use directly affects consumers and customers, “as with credit determinations.” Underwriting-facing AI checks all three boxes and should expect elevated attention.
Acceptable use commentary: Bowman is explicitly pro-innovation, stating supervisory guidance “should not hinder access to and implementation of innovation,” particularly for smaller banks with fewer resources than larger peers, and that banks should have flexibility to implement AI consistent with their own structure, business, and culture.
Speech: “AI, Fintechs, and Banks,” Governor Michael S. Barr
Issuing Agency: Board of Governors of the Federal Reserve System
Date: April 4, 2025
Link: https://www.federalreserve.gov/newsevents/speech/barr20250404a.htm
Delivered at the Federal Reserve Bank of San Francisco, this speech focuses on generative AI (Gen AI) adoption in banking and the role of bank–fintech partnerships in accelerating that adoption.
Objections/concerns: Barr is candid about why Gen AI has not been widely adopted in underwriting-adjacent functions: hallucination risk, stochastic (non-repeatable) outputs that conflict with banking's need for decisions to be “well-controlled, numerically and legally precise, explainable, and replicable,” information-security exposure from AI agents handling sensitive customer data, and banks' legacy infrastructure and siloed data.
Examiner/institutional trigger: Barr notes regulators expect banks to manage risk introduced through fintech partnerships specifically per SR 23-4 (Interagency Guidance on Third-Party Relationships), and to understand vendor AI tools well enough to apply their own risk management, creating tension where fintech partners are reluctant to disclose proprietary model details (“their secret sauce”).
Acceptable use commentary: Barr identifies document analysis to improve credit underwriting, and fraud detection, as concrete areas where Gen AI “offers new possibilities,” building on traditional AI's already-established role in fraud detection. He frames responsible adoption as a shared responsibility among banks, fintechs, and regulators rather than something to be blocked outright.
Office of the Comptroller of the Currency (OCC)
OCC Bulletin 2026-13: Model Risk Management: Revised Guidance
Issuing Agency: Office of the Comptroller of the Currency (jointly with Federal Reserve Board and FDIC)
Date: April 17, 2026
Link: https://www.occ.treas.gov/news-issuances/bulletins/2026/bulletin-2026-13.html
The OCC's transmittal bulletin for the same joint MRM guidance covered under SR 26-2 above. It formally rescinds the “Model Risk Management” booklet of the Comptroller's Handbook, OCC Bulletin 1997-24 (credit scoring model examination guidance), OCC Bulletin 2011-12 (the original 2011 MRM guidance), and the 2021 BSA/AML model risk statement.
Objections/concerns: none framed as new prohibitions: the bulletin is explicit that “non-compliance with this guidance will not result in supervisory criticism,” i.e., it is guidance, not an enforceable rule. The concern being addressed is stale, overly rigid guidance that examiners had begun applying inconsistently to modern AI/ML tools.
Examiner trigger: the bulletin flags that the guidance is “most useful for models supporting a banking organization's significant business lines, operations, services, and functions”; commercial underwriting models fit this description directly. The full attachment (Supervisory Guidance on Model Risk Management) specifically discusses credit underwriting, collections propensity models, and fraud detection as examples of higher-materiality AI use cases warranting more rigorous validation, effective challenge, and vendor-model due diligence.
Acceptable use commentary: the OCC notes plans to issue a further request for information “in the near future” focused specifically on banks' use of AI, including generative and agentic AI, signaling this is an evolving, not settled, area, and that the agencies intend to keep soliciting industry input before layering on additional expectations.
Semiannual Risk Perspective from the National Risk Committee, Fall 2025
Issuing Agency: Office of the Comptroller of the Currency
Date: Published Fall 2025 (data as of June 30, 2025)
The OCC's twice-yearly risk report includes a dedicated “Federal Banking System Innovation” special topic that directly addresses AI in underwriting, alongside separate sections on credit risk and fair lending relevant to commercial lending generally.
Objections/concerns: the report is candid that “appropriate governance and risk management are essential to mitigate potential risks when implementing AI systems,” without which the same models that improve underwriting speed and accuracy can introduce unmanaged risk.
Examiner trigger: the report separately notes that recent regulatory underwriting surveys found banks tightening commercial and industrial (C&I) loan underwriting standards amid economic uncertainty, a reminder that AI-based underwriting tools will be examined against the backdrop of broader credit-risk conditions, not in isolation. It also confirms a significant fair lending policy shift: as of OCC Bulletin 2025-16, the OCC's supervisory process “no longer includes examining for disparate impact liability,” narrowing (but not eliminating) one avenue of fair-lending scrutiny that previously applied to AI-driven underwriting outcomes.
Acceptable use commentary: the OCC states plainly that “banks of all sizes are exploring ways to leverage artificial intelligence... deploying sophisticated models to improve credit underwriting, detect fraud in real time, and personalize customer experience,” and frames a lack of investment in such technology as itself a “material risk” to long-term bank viability, a notably pro-adoption tone from the prudential regulator.
Interagency Statement on the Use of Alternative Data in Credit Underwriting (OCC Bulletin 2019-62)
Issuing Agency: Office of the Comptroller of the Currency (joint with Federal Reserve, FDIC, CFPB, and NCUA)
Date: December 3, 2019
Link: https://www.occ.gov/news-issuances/bulletins/2019/bulletin-2019-62.html
Issued in response to a GAO recommendation, this statement predates the AI-specific RFIs but remains the agencies' foundational guidance on using non-traditional data (e.g., cash-flow/bank-account transaction data) in underwriting, a common input to AI-driven commercial and small-business credit models.
Objections/concerns: the statement is framed around consumer-protection risk: ensuring alternative data sources are accurate, verifiable, and do not introduce disparate treatment or unfair, deceptive practices.
Examiner trigger: institutions are expected to have a “well-designed compliance management program” that performs a documented analysis of relevant consumer-protection laws before deploying alternative-data underwriting, whether or not AI is involved.
Acceptable use commentary: the agencies affirmatively encourage responsible use of alternative data, citing potential benefits including expanded credit access, faster decisions, and more favorable pricing for borrowers who might not qualify under traditional underwriting, an early, explicit statement that data-driven underwriting innovation is welcome, subject to controls.
Federal Deposit Insurance Corporation (FDIC)
Artificial Intelligence (AI) at the FDIC: AI Compliance Plan and Use-Case Inventory
Issuing Agency: Federal Deposit Insurance Corporation
Date: Last updated October 1, 2025
Link: https://www.fdic.gov/ai
This FDIC.gov hub page hosts the agency's own AI Compliance Plan (issued under OMB Memorandum 25-21) and an inventory of AI use cases at the FDIC itself; it addresses the FDIC's internal use of AI more than supervised institutions' use, but it is the agency's central, current AI reference point and confirms how the FDIC is organizing its AI governance internally, which typically foreshadows how it approaches supervised-institution AI risk.
Objections/concerns: not directly addressed on this page; the FDIC's compliance plan is oriented toward responsible internal deployment and public trust rather than industry-facing prohibitions.
Examiner trigger: separate FDIC commentary (reflected in industry secondary sources) indicates that where AI is determined to be relevant through the FDIC's risk-based examination planning and prioritization process, it is typically folded into existing safety-and-soundness, IT, or compliance examinations rather than reviewed as a stand-alone “AI exam.”
Acceptable use commentary: the FDIC frames AI adoption as something to be enabled: “it is essential to enable banks to adopt these technologies while maintaining expectations that they manage associated risks and conduct their activities in a safe and sound manner,” consistent with the other two agencies' current tone.
Interagency Statement on the Use of Alternative Data in Credit Underwriting (FIL-82-2019)
Issuing Agency: Federal Deposit Insurance Corporation (joint with OCC, Federal Reserve, CFPB, and NCUA)
Date: December 3, 2019
Link: https://www.fdic.gov/news/financial-institution-letters/2019/fil19082.html
The FDIC's Financial Institution Letter transmitting the same joint alternative-data statement summarized under the OCC section above; included here because it is the FDIC's own issuance number and the version FDIC-supervised state non-member banks would reference directly.
Objections/concerns: same as above: accuracy, verifiability, and fair-lending risk of non-traditional data inputs.
Examiner trigger: FDIC examiners assess whether a bank's compliance management program has analyzed relevant consumer protection requirements before relying on alternative data (including AI-processed alternative data) in underwriting decisions.
Acceptable use commentary: identical framing to the OCC bulletin: alternative data use is encouraged where it expands access to credit and is implemented with appropriate controls.
Joint and Interagency Statements
Supervisory Guidance on Model Risk Management (full text attachment to SR 26-2 / OCC Bulletin 2026-13)
Issuing Agency: Federal Reserve Board, OCC, and FDIC (joint)
Date: April 17, 2026
Link: https://www.federalreserve.gov/supervisionreg/srletters/SR2602a1.pdf
This is the actual guidance document (not just the transmittal letters) and is worth reviewing directly given its direct relevance to commercial underwriting models. It replaces SR 11-7/OCC 2011-12 and formally organizes MRM expectations around model development and use, validation and monitoring, governance and controls, and vendor/third-party products.
Objections/concerns raised: the guidance repeatedly stresses that “even a fundamentally sound model producing accurate outputs... can exhibit high model risk if it is misapplied or misused,” and that vendor/third-party AI products pose “unique challenges for validation” because banks may not receive the underlying code, data, or methodology they would have if the model were built in-house.
Examiner deep-dive triggers, stated explicitly: (1) model materiality, defined as the combination of model exposure (portfolio size/business impact) and model purpose: “models developed to help meet regulatory requirements or manage a banking organization's financial risk exposures are generally considered to be of greater risk”; (2) use in “significant business lines, operations, services, and functions”; (3) reliance on vendor or other third-party models without adequate independent validation; (4) absence of “effective challenge”: critical review by staff with the expertise and independence to challenge model design and the organizational standing to force changes; and (5) weak model inventory or documentation that would prevent tracking a model's assumptions, changes, and remediation history.
Acceptable use commentary: notably, the guidance excludes generative AI and agentic AI from its scope entirely (“novel and rapidly evolving”), while explicitly stating that “the principles described in this guidance apply to traditional statistical and quantitative models and non-generative, non-agentic AI models,” meaning conventional machine-learning credit-scoring and underwriting models are treated as ordinary “models” subject to standard MRM discipline, not singled out for extra restriction.
Request for Information and Comment on Financial Institutions' Use of Artificial Intelligence, Including Machine Learning
Issuing Agency: Federal Reserve Board, OCC, FDIC, CFPB, and NCUA (joint)
Date: Published March 31, 2021; comment period closed July 1, 2021
This remains the single most detailed articulation of the agencies' AI concerns on the record, organized around named risk categories that still frame supervisory thinking five years later. It explicitly lists “credit decisions” as a core AI use case under review.
Objections/concerns raised, by category: Explainability: “lack of explainability can inhibit financial institution management's understanding of the conceptual soundness of an AI approach... inhibit independent review and audit and make compliance with laws and regulations... more challenging.” Data usage/bias: AI “may perpetuate or even amplify bias or inaccuracies inherent in the training data.” Overfitting: AI can learn from “idiosyncratic patterns... not representative of the population as a whole,” more pronounced in AI than traditional models. Cybersecurity: exposure to “data poisoning attacks.” Dynamic updating: models that keep learning post-deployment complicate validation, monitoring, and tracking of performance over time. Third-party oversight: community institutions in particular “may be more likely to use third-party AI approaches,” raising questions about their level of expertise and insight into vendor models. Fair lending: “it may be challenging to verify that a less transparent and explainable approach comports with fair lending laws,” and the RFI asks directly how lenders identify ECOA/Regulation B adverse-action reasons when AI drives the credit decision.
Examiner trigger: the RFI's appendix cross-references the existing legal/regulatory scaffolding examiners use to evaluate AI-driven credit decisions: the Fair Credit Reporting Act, ECOA/Regulation B, the Fair Housing Act, UDAP/UDAAP authority, the 2011 Model Risk Management guidance, third-party/outsourcing risk guidance, and the Interagency Fair Lending Examination Procedures. Any AI-based underwriting tool implicates several of these simultaneously, which is itself a reason such tools draw more supervisory attention than simpler rules-based tools.
Acceptable use commentary: the agencies open by acknowledging real benefits: “more accurate, lower-cost, and faster underwriting, as well as expanded credit access for consumers and small businesses that may not have obtained credit under traditional credit underwriting approaches,” and frame the entire exercise as trying to determine “whether any clarifications... would be helpful,” not whether to restrict use.
Related Congressional Oversight Report
The following is not a statement issued by the OCC, FDIC, or Federal Reserve, but is included because it directly evaluates how those three agencies oversee AI in financial services, including underwriting, and is likely to inform future guidance.
GAO-25-107197, Artificial Intelligence: Use and Oversight in Financial Services
Issuing Agency: U.S. Government Accountability Office (evaluates OCC, Federal Reserve, FDIC, CFPB, NCUA, SEC, and CFTC)
Date: May 19, 2025
Link: https://www.gao.gov/products/gao-25-107197
GAO's review assesses AI benefits and risks in financial services, how the federal banking and securities regulators oversee institutions' AI use, and how regulators use AI themselves in supervision.
Objections/concerns raised: GAO states plainly that “some AI models' limited explainability may inhibit financial institutions from complying with fair lending laws if they cannot provide specific reasons for denying an application for credit or taking other adverse action,” and separately that “automated underwriting that relies on AI models can perpetuate discriminatory practices and biases in mortgage lending, which limits access to credit for borrowers of color,” noting that AI models, unlike traditional lenders, “lack transparency and do not disclose their reasons for denying a loan application.”
Examiner/oversight trigger: GAO found that federal regulators “primarily rely on existing laws and supervisory frameworks to oversee AI, rather than developing new regulations,” though some have issued AI-specific guidance or conducted AI-focused examinations. GAO also flagged a specific gap: NCUA lacks authority to examine the technology service providers credit unions increasingly depend on for AI-driven services, a third-party oversight blind spot Congress had not yet addressed as of GAO's report.
Acceptable use commentary: GAO's framing is risk-focused rather than adoption-focused; it does not endorse specific use cases but recommends regulators (specifically FHFA in the housing context) clarify fair-lending expectations for AI-based underwriting rather than leaving institutions to guess.
Synthesis: Answering the Three Core Questions
1. What objections are being raised?
- Explainability / “black box” risk: the most consistently cited concern since 2021. Regulators worry examiners and bank staff cannot evaluate “conceptual soundness” of complex AI, and that this in turn undermines ECOA/Regulation B adverse-action reason-giving.
- Data quality and bias: AI trained on incomplete or non-representative data can perpetuate or amplify discriminatory outcomes (GAO, 2021 RFI); this remains a live concern even as the OCC has narrowed its disparate-impact examination posture.
- Third-party/vendor dependence: banks (especially smaller ones) often cannot see a vendor model's code, training data, or methodology, complicating validation obligations that fall on the bank regardless.
- Model drift / dynamic updating: AI that continues learning post-deployment is harder to validate, monitor, and audit against a fixed baseline.
- Overfitting and cybersecurity exposure (e.g., data poisoning): flagged in 2021 and still generally applicable, though less prominent in the most recent 2025–2026 statements, which focus more on governance than technical failure modes.
2. What causes examiners to take a deeper look?
- Model materiality: high exposure (large or growing share of the commercial loan portfolio) combined with high-stakes purpose (credit underwriting is named explicitly, alongside stress testing and fraud detection, as a higher-materiality use).
- Direct consumer/customer impact: Bowman's May 2026 speech specifically calls out “credit determinations” as a use case that draws closer supervisory attention because of its direct effect on customers.
- Broad internal accessibility of a tool to employees, versus narrow, controlled use.
- Reliance on vendor/third-party AI without demonstrated independent validation, documentation, or ongoing outcomes analysis.
- Weak governance signals: absent model inventory, unclear ownership/accountability, lack of “effective challenge” by independent, qualified reviewers, or inability to explain how overrides and exceptions are handled.
- Institution size is a secondary, not primary, trigger: the new SR 26-2/Bulletin 2026-13 guidance is calibrated to matter most above $30 billion in assets, but explicitly reaches smaller institutions with complex or prevalent AI use.
3. What is said about acceptable use cases?
- Credit underwriting itself is repeatedly named as a legitimate, expected AI use case, not a disfavored one. The OCC's Fall 2025 risk report and Governor Barr's April 2025 speech both cite it approvingly (faster, more accurate underwriting; document analysis; expanded credit access).
- Traditional/non-generative, non-agentic AI/ML models used for underwriting fall within the standard Model Risk Management framework and are treated like any other model (develop, validate, monitor, govern) rather than singled out.
- Generative and agentic AI are explicitly carved out of the April 2026 MRM guidance as too new to fit the existing framework, but the agencies and Bowman are explicit this is not a free pass: those tools are still expected to be governed through compliance management, operational risk, third-party oversight, cybersecurity, privacy, fair lending, and board-level governance.
- Alternative-data-driven underwriting (a common input into AI models) has been affirmatively encouraged since 2019, provided a documented compliance analysis precedes its use.
- The overall regulatory posture has shifted measurably toward enabling adoption since 2021: both Bowman and the OCC's Fall 2025 report frame under-investment in AI/technology as itself a supervisory risk, a notable inversion of the more cautionary tone of the original 2021 RFI.
Full Source List
- SR 26-2, Federal Reserve: federalreserve.gov/supervisionreg/srletters/SR2602.htm
- SR 26-2 Attachment (full MRM guidance): federalreserve.gov/supervisionreg/srletters/SR2602a1.pdf
- Speech, Vice Chair Bowman, “Artificial Intelligence in the Financial System”: federalreserve.gov/newsevents/speech/bowman20260501a.htm
- Speech, Governor Barr, “AI, Fintechs, and Banks”: federalreserve.gov/newsevents/speech/barr20250404a.htm
- OCC Bulletin 2026-13: occ.treas.gov/news-issuances/bulletins/2026/bulletin-2026-13.html
- OCC Semiannual Risk Perspective, Fall 2025: occ.gov/publications-and-resources/publications/semiannual-risk-perspective
- OCC Bulletin 2019-62, Alternative Data Statement: occ.gov/news-issuances/bulletins/2019/bulletin-2019-62.html
- FDIC, Artificial Intelligence at the FDIC: fdic.gov/ai
- FDIC FIL-82-2019, Alternative Data Statement: fdic.gov/news/financial-institution-letters/2019/fil19082.html
- 2021 Interagency RFI on AI/ML: federalregister.gov (2021 RFI)
- GAO-25-107197: gao.gov/products/gao-25-107197

