BankFlow
BankFlowBankFlowAll Posts
AI Governance · Regulatory Compliance

What SR 11-7 Means for Your Fraud Detection Vendor

RJ Grimshaw·January 6, 2026·6 min read

Most community banks don't build their own fraud detection models. They buy them.

That distinction matters more than most compliance officers realize, because the Federal Reserve's SR 11-7 guidance on Model Risk Management does not stop at your front door. It follows the model wherever it lives - including inside your vendor's platform.

What SR 11-7 Actually Says

Issued by the Federal Reserve in 2011, SR 11-7 establishes expectations for how banks govern the models they use to make decisions. The guidance covers model development, validation, ongoing monitoring, and governance - and it applies to any model that is consequential to the bank's operations or risk profile.

Fraud detection qualifies on every count. Your fraud system makes real-time decisions that affect customers, generates losses when it fails, and creates regulatory exposure when it cannot be explained. If your examiner asks how the model works and you have no answer, that is a finding.

The Vendor Problem

Here is where community banks consistently get caught off guard.

When you license a fraud detection platform from a third-party vendor, you are not just buying software. You are taking on model risk. SR 11-7 expects your bank to understand the model's conceptual soundness, its limitations, the data it was trained on, and how it performs over time. The fact that you did not build it does not reduce that obligation.

The OCC reinforced this in Bulletin 2013-29, which requires banks to conduct due diligence on third-party vendors and maintain ongoing oversight of their risk. Together, SR 11-7 and OCC 2013-29 create a clear expectation: know what your vendor's model is doing, and document that you know.

What Examiners Are Looking For

When examiners review your fraud detection vendor relationship, they are typically looking for evidence of four things:

Model inventory

Does the bank have a documented list of AI and model-driven systems in use, including vendor-provided ones? Many community banks cannot produce this list on demand.

Vendor documentation

Has the bank collected and reviewed the vendor's model documentation - training data, validation reports, performance benchmarks, known limitations? This documentation should be on file, not sitting in a vendor portal you have never logged into.

Ongoing monitoring

Is the bank reviewing model performance over time? Fraud patterns shift. A model trained on 2019 data may behave differently in 2025. Examiners want to see that someone is watching.

Governance and escalation

Who at the bank is responsible for this vendor relationship from a model risk perspective? Is there a documented process for escalating concerns? Is the board aware that AI-driven fraud detection is in use?

The Conversation Most Banks Are Not Having

The gap we see most often is not technical. It is organizational.

Community banks have vendor management programs. They have compliance teams. But the question "does our fraud detection vendor's model meet SR 11-7 expectations?" rarely gets asked in a vendor review meeting. It falls between the compliance function and the technology function, and no one owns it.

That gap is exactly what examiners are trained to find.

What Good Looks Like

A community bank with a strong posture on this issue can demonstrate the following:

  • A complete inventory of vendor systems that use AI or statistical models, with fraud detection explicitly listed
  • A vendor file that includes model documentation, the most recent validation report, and performance data
  • A defined monitoring cadence - at minimum, annual review of model performance against current fraud patterns
  • A board-level policy that acknowledges AI use and assigns governance responsibility
  • A point of contact at the vendor who can answer model risk questions

None of this requires a model risk team. It requires discipline and documentation.

The 90-Day Path

BankFlow's Prudent Innovation Review was designed specifically for this situation. In 90 days, we inventory your vendor AI systems, collect and review model documentation, identify gaps against SR 11-7 and OCC 2013-29 requirements, and produce a board-ready governance package.

If your next exam is within 12 months, the time to start is now.

Begin the Conversation

Ready to close the gap before your next exam?

Let's talk about where your AI governance stands today and what it takes to get examiner-ready in 90 days.

Book a Discovery Call

This article is for informational purposes only and does not constitute legal or regulatory advice. BankFlow recommends consulting qualified legal counsel for guidance specific to your institution.

Able Leadership LLC DBA The AI CEO