BankFlowBankFlow

Our Methodology

A regulatory-aligned framework built on Federal Reserve SR 11-7, OCC 2013-29, and NIST AI RMF

Our methodology integrates three regulatory frameworks to deliver comprehensive AI governance for community banks. Every deliverable maps to specific regulatory requirements, ensuring examiner-readiness from day one.

Regulatory Foundation

SR 11-7: Model Risk Management

Federal Reserve (2011)

Supervisory guidance on model risk management requiring financial institutions to establish governance, validation, and ongoing monitoring frameworks for models-including AI systems.

Governance

  • Board oversight and accountability
  • Policies and procedures
  • Risk appetite framework

Validation

  • Conceptual soundness review
  • Ongoing monitoring
  • Outcomes analysis

Documentation

  • Model inventory
  • Validation reports
  • Issue tracking

OCC 2013-29: Third-Party Risk Management

OCC Bulletin (2013)

Guidance on managing risks associated with third-party relationships, requiring banks to conduct due diligence, establish contracts, and implement ongoing monitoring.

Due Diligence

  • Vendor assessment
  • Risk categorization
  • Financial stability review

Contracts

  • Service level agreements
  • Performance metrics
  • Termination rights

Monitoring

  • Performance tracking
  • Incident management
  • Annual reviews

NIST AI RMF: AI Risk Management Framework

Treasury-Recommended (2024)

Voluntary framework providing guidance on trustworthy and responsible AI, addressing bias, explainability, and fairness. U.S. Treasury recommends regulators integrate into banking supervision.

GOVERN

  • AI governance structure
  • Risk appetite
  • Accountability

MAP

  • AI system inventory
  • Risk identification
  • Context analysis

MEASURE

  • Performance metrics
  • Bias testing
  • Explainability

MANAGE

  • Risk mitigation
  • Incident response
  • Continuous improvement

Four-Phase Process

Our 90-day program integrates all three regulatory frameworks into a cohesive implementation roadmap.

01

Discovery

Weeks 1-2

Comprehensive assessment of AI systems across your vendor ecosystem. We identify all AI-powered systems, categorize risk levels, and establish the foundation for governance.

Deliverables

AI System Inventory
  • Complete list of 10-15 vendor AI systems
  • System descriptions and use cases
  • Data inputs and outputs
Risk Register
  • Risk categorization (High/Medium/Low)
  • Inherent and residual risk scores
  • Initial mitigation strategies

Regulatory Alignment

SR 11-7

Model inventory requirement

OCC 2013-29

Vendor identification and categorization

NIST AI RMF

MAP function (system context)

02

Due Diligence

Weeks 3-8

Deep-dive assessment of each vendor AI system. We conduct validation reviews, assess model performance, and document findings for examiner review.

Deliverables

Vendor Assessments (10-15)
  • Model documentation review
  • Performance validation
  • Bias and fairness testing
  • Explainability assessment
Validation Reports
  • Conceptual soundness review
  • Outcomes analysis
  • Limitations and assumptions
  • Recommendations for improvement

Regulatory Alignment

SR 11-7

Model validation requirement

OCC 2013-29

Vendor due diligence

NIST AI RMF

MEASURE function (performance, bias)

03

Policy

Weeks 9-10

Formalize governance structure and policies. We draft Board-approved policies, establish risk appetite, and create presentation materials for executive leadership.

Deliverables

AI Governance Policy
  • Roles and responsibilities
  • Risk appetite statement
  • Approval processes
  • Escalation procedures
Board Materials
  • Executive summary
  • Risk dashboard
  • Policy recommendations
  • Approval resolutions

Regulatory Alignment

SR 11-7

Governance and oversight requirement

OCC 2013-29

Policies and procedures

NIST AI RMF

GOVERN function (structure, accountability)

04

Monitoring

Weeks 11-12

Establish ongoing monitoring framework. We create KPI dashboards, define thresholds, and provide a 12-month roadmap for continuous oversight.

Deliverables

Monitoring Plan
  • KPI definitions and thresholds
  • Reporting frequency
  • Escalation triggers
  • Review schedule
12-Month Roadmap
  • Quarterly review milestones
  • Annual validation schedule
  • Policy update timeline
  • Continuous improvement plan

Regulatory Alignment

SR 11-7

Ongoing monitoring requirement

OCC 2013-29

Continuous monitoring

NIST AI RMF

MANAGE function (ongoing oversight)

Compliance Matrix

Every deliverable maps to specific regulatory requirements, ensuring comprehensive compliance.

DeliverableSR 11-7OCC 2013-29NIST AI RMF
AI System InventoryModel InventoryVendor IdentificationMAP (Context)
Risk RegisterRisk AssessmentRisk CategorizationMAP (Risk ID)
Vendor AssessmentsValidationDue DiligenceMEASURE (Performance)
Validation ReportsConceptual SoundnessVendor ReviewMEASURE (Bias, Explainability)
AI Governance PolicyGovernance FrameworkPolicies & ProceduresGOVERN (Structure)
Board MaterialsBoard OversightAccountabilityGOVERN (Accountability)
Monitoring PlanOngoing MonitoringContinuous MonitoringMANAGE (Oversight)
12-Month RoadmapPeriodic ReviewAnnual ReviewMANAGE (Continuous Improvement)

Ready to Get Started?

Schedule a no-obligation discovery call to discuss how our methodology can help your bank achieve examiner-ready AI governance.