The FFIEC sets joint examination standards across the OCC, FDIC, Federal Reserve, NCUA, and CFPB. Understanding what FFIEC AI guidance covers and what examiners are looking for is essential for any bank compliance team preparing for a technology examination in 2026.
What Is FFIEC and Why It Matters for AI
FFIEC is an interagency body that coordinates examination principles, standards, and report forms across the federal banking regulators. When FFIEC issues guidance on IT or model risk, examiners across all member agencies apply it. FFIEC guidance on AI therefore affects every federally regulated bank regardless of primary federal regulator. Current FFIEC AI guidance exists in the 2021 interagency AI/ML model risk statement, references in the IT Examination Handbooks, and examiner training materials. In 2026, there is no single unified FFIEC AI booklet — but examiners apply a consistent framework drawn from these sources and from SR 26-2.
The Risk Dispatch — weekly briefing
Get weekly AI risk management and compliance intelligence for financial institutions. Free, no spam.
Subscribe free →What Examiners Are Looking for in AI Governance in 2026
1. Board and Senior Management Oversight
Examiners expect evidence that the board and senior management understand the bank's AI risk exposure: a board-level AI or technology risk report that accurately characterises AI risks; management-level governance documentation; clear escalation paths to the board for material AI issues. Banks that cannot demonstrate board-level AI awareness receive Management (M) findings in CAMELS ratings.
2. AI/ML Model Inventory
A complete, current model inventory is the first thing examiners request. In 2026, examiners expect the inventory to include all AI and ML models — not just traditional statistical models. Banks with gaps (models deployed without registration, shadow AI tools, vendor-provided scoring models not formally inventoried) are cited for MRM deficiencies. The inventory should include: model name, owner, tier/materiality rating, last validation date, and status of open findings.
3. Validation of AI-Specific Risks
Examiners are asking about AI-specific validation: fairness testing, performance under distribution shift, model explainability for adverse actions under ECOA/Regulation B. These questions go beyond traditional SR 11-7 validation and reflect the 2021 interagency AI statement's emphasis on fairness, explainability, and robustness.
4. Third-Party AI Vendor Oversight
Banks are expected to conduct due diligence on AI vendors' model governance practices; include AI-specific provisions in vendor contracts (model change notification, validation access, data handling); and monitor vendor-provided AI models as if they owned them. The expectation that banks "own the risk regardless of source" has been explicitly reinforced by SR 26-2.
5. Generative AI Controls
Examiners are asking about bank policies for generative AI tools. Banks with no GenAI policy, no approved tool list, and no controls on employee use of consumer AI tools with bank data are receiving findings. The examination focus is on data leakage risk and the absence of a governance framework.
Examination Preparation Checklist
- Update and audit the model inventory — include all AI/ML models, vendor-provided models, and GenAI tools.
- Prepare a board AI governance report demonstrating regular AI risk reporting to senior leadership.
- Ensure all high-tier models have current validation — open findings with no remediation timeline are a priority target.
- Document AI vendor oversight — due diligence files, contract provisions, monitoring processes.
- Prepare an adverse action explanation protocol for ML-driven credit decisions.
- Produce a GenAI policy — even a brief policy with an approved tool list demonstrates governance maturity.
- Run a pre-examination MRM self-assessment against FFIEC IT Handbook standards and SR 26-2 principles.
FFIEC in Context: OCC AI Signals and SR 26-2
The FFIEC examination framework does not exist in isolation. The OCC signalled in Spring 2026 that formal AI model risk guidance is forthcoming — see our OCC Spring 2026 guidance analysis. SR 26-2 provides the current model risk standard that FFIEC examiners apply. See our MRM framework compliance guide for the full implementation roadmap.