Every AI model is now a model under SR 11-7. Examiners know it. Do you?
From credit decisioning to fraud screening to customer service AI, federal and state regulators are applying decades-old model risk and fair-lending rules to your newest AI tools — with retroactive enforcement already underway. Programs are led by Helena Rush, aligned to NIST AI RMF and EU AI Act obligations.
Regulations and supervisory guidance already in force
Each item below is already in force or has a confirmed enforcement date. Sources are named so your compliance team can verify in minutes.
SR 11-7 / OCC 2011-12 — Model Risk Management
Federal Reserve and OCC supervisory guidance on model risk. Examiners are explicitly applying it to AI/ML models, including third-party and vendor AI.
Source: Federal Reserve SR 11-7 (April 4, 2011); OCC Bulletin 2011-12
NYDFS 23 NYCRR 500 (Cybersecurity)
Covered entities must govern AI tools that handle nonpublic information, with documented risk assessments and incident reporting.
Source: NYDFS 23 NYCRR Part 500, amended November 1, 2023
CFPB Circular 2023-03 (Adverse Action Notices)
Confirms that creditors using complex AI/ML models must still provide specific, accurate adverse-action reasons under ECOA / Regulation B.
Source: CFPB Circular 2023-03 (September 19, 2023)
EU AI Act — High-Risk: Credit Scoring & Insurance Pricing
Annex III lists creditworthiness and life/health insurance pricing as high-risk. Obligations are enforceable from August 2, 2026.
Source: Regulation (EU) 2024/1689, Annex III
These dates are not theoretical
Two enforcement deadlines have already passed. The next major one — EU AI Act high-risk obligations — is live below.
The Regulatory Clock Is Running
Two EU AI Act deadlines have already passed. The next — August 2, 2026 — applies to High-Risk AI across healthcare, finance, HR, education, and insurance. Full enforcement begins that date.
Source: European Commission AI Act Service Desk
Next Enforcement Deadline
2 August 2026 — High-Risk AI Full Compliance
45
Days
00
Hours
18
Minutes
12
Seconds
2 February 2025
PassedProhibited AI practices banned + AI Literacy (Article 4) obligations began.
If you have not acted, you are already non-compliant.
2 August 2025
PassedGPAI model obligations + governance infrastructure required.
If you have not acted, you are already non-compliant.
2 August 2026
NextHigh-Risk AI systems (Annex III) must be fully compliant. Article 50 Transparency rules apply. Full enforcement begins.
2 August 2027
UpcomingHigh-Risk AI embedded in regulated products (medical devices, aviation).
November 1, 2023
NYDFS Part 500 amendments effective
Expanded governance, MFA, and incident-reporting requirements that pull AI tools into scope.
Source: NYDFS 23 NYCRR 500
February 2, 2025
EU AI Act prohibitions in force
Prohibited practices (e.g., social scoring, certain emotion recognition) are enforceable globally where EU users are touched.
Source: EU AI Act, Article 113
August 2, 2026
EU AI Act high-risk obligations apply
Credit scoring and insurance pricing AI must meet documentation, transparency, and human-oversight obligations.
Source: EU AI Act, Annex III + Article 113
The cost of getting this wrong is no longer theoretical
Real cases. Named parties. Public records. These are the precedents your board, your auditors, and your insurer will reference.
Apple Card (Goldman Sachs)
$89.8 million in penalties + redress
CFPB and OCC found Goldman's credit-card model and dispute handling violated TILA/Reg Z and CARD Act — illustrative of regulators applying existing rules to algorithmic credit decisions.
Source: CFPB Consent Order, October 23, 2024
Hello Digit
$2.7 million
CFPB action over an algorithmic savings tool that overdrew accounts despite no-overdraft guarantee.
Source: CFPB Consent Order, August 10, 2022
EU AI Act maximum penalty (financial-services applicable)
€35M or 7% of global annual turnover
Highest tier for prohibited AI practices; up to €15M or 3% for high-risk obligations breaches.
Source: EU AI Act, Article 99
Mapped to the NIST AI Risk Management Framework
Every engagement is structured around the four NIST AI RMF Core functions. Your auditors and clients already recognize this language.
NIST AI RMF — Govern
Map AI policy to SR 11-7 model lifecycle: ownership, validation, change control, retirement.
NIST AI RMF — Map
Inventory all AI/ML models including vendor models; classify by materiality and consumer impact.
NIST AI RMF — Measure
Independent validation, fair-lending testing, drift monitoring; retain evidence for examiners.
NIST AI RMF — Manage
Adverse-action reason generation, incident response, third-party AI risk reviews.
AI Governance & Compliance Studio
Two ways to start. One clear path forward.
Whether you need a fast read on your exposure or a deeper conversation about your governance strategy, NeuralEdge gives you a structured next step — never a sales pitch.
Free AI Readiness Snapshot
A 5-minute interactive self-assessment scored against the NIST AI RMF Core. See your readiness level immediately.
Get Your Free AI Readiness Snapshot30-Minute Compliance Review
A working session with a NeuralEdge consultant. Bring your questions, leave with a clear action list.
Book a 30-Minute Compliance ReviewFrequently asked questions
Are SR 11-7 and OCC 2011-12 actually being applied to AI?
Yes. The Fed, OCC, and FDIC have publicly confirmed that AI/ML models fall within existing model risk management guidance. Examinations are already incorporating AI-specific lines of inquiry.
We use vendor AI — does that shift the risk?
No. Interagency guidance on third-party risk management (June 6, 2023) makes clear that the bank or NBFI retains accountability for vendor models. You must validate, monitor, and document them.
Does the EU AI Act apply if we are US-only?
It can. If your AI's output is used in the EU, or you process data of EU subjects in scope models, extraterritorial provisions can pull you in. We help you scope this with counsel.
What is the fastest path to examiner-ready?
Inventory, materiality classification, validation evidence, fair-lending testing, and a documented governance committee. Most institutions can have a defensible baseline in 6–10 weeks.