SR 11-7
What SR 11-7 requires of US banks for model risk management, who reviews it, and how XVICA builds platforms that satisfy SR 11-7 evidence requirements.
Definition
SR 11-7 is the supervisory letter issued jointly by the Federal Reserve and the OCC in 2011 setting out expectations for model risk management at banking organisations. Its central proposition is that any quantitative method whose output materially affects business decisions must be governed: documented end-to-end, validated independently of the model developers, monitored in production, and reviewed at a cadence commensurate with its risk. SR 11-7 covers the full lifecycle — development, implementation, use, ongoing monitoring, validation, and retirement — and remains the dominant framework for model risk in the United States, with adjacent frameworks (PRA SS1/23, EBA guidance) following similar principles internationally.
In high-stakes deployments
SR 11-7 has shifted from a credit and market risk concern to one that increasingly covers anti-money-laundering models, sanctions screening, fraud, customer scoring, and machine-learning systems used in regulated decisions. Examiners now expect not only that an institution has model governance, but that the institution can produce, at any point, the evidence that a specific model decision was made by a specific model version using specific inputs validated against specific tests. Without that traceability, model risk findings escalate quickly.
How XVICA treats this
Where XVICA builds infrastructure that hosts or invokes regulated models, SR 11-7 expectations are designed in: model versions, training data references, input snapshots, and outputs are captured at the moment of decision and retained as primary evidence; validation results are stored alongside the version they validated; ongoing monitoring is not a separate dashboard but a property of the platform. A regulator's question — 'which model made this decision, what version, on what data?' — becomes a query rather than a forensic exercise.
Regulatory compliance engines capabilityAdjacent vocabulary
BCBS 239
What BCBS 239 requires of global systemically important banks, how supervisors assess compliance, and how XVICA designs data platforms that satisfy it.
Regulatory & frameworksDORA (Digital Operational Resilience Act)
What DORA requires of EU financial entities, who is in scope, and how XVICA designs operational resilience as a first-class engineering property.
Regulatory & frameworksSOC 2 Type II
What SOC 2 Type II covers, how it differs from Type I, and how XVICA embeds SOC 2 evidence collection as a continuous engineering practice.
Discuss SR 11-7 in your context.
Request a confidential briefing on how this concept applies to your infrastructure objectives.
Request a private briefing