ri-22: reflect April 2026 SR 11-7 GenAI carve-out

[pmerrison]

Summary

The OCC, Federal Reserve and FDIC jointly revised SR 11-7 / OCC Bulletin 2011-12 on 17 April 2026 (reissued as OCC Bulletin 2026-13) to explicitly exclude generative and agentic AI from MRM scope. The same package rescinded OCC Bulletin 1997-24 (credit scoring) and the 2021 interagency statement on MRM for BSA/AML, and clarified that the guidance is "most relevant" to banks above approximately $30bn in assets.

ri-22 currently states that the OCC and FRB mandate MRM coverage of AI systems, listing credit underwriting, fraud detection and AML/CFT monitoring as in-scope. After 17 April that's no longer accurate for generative or agentic AI in the US.

Changes

• Split the Model Risk Management bullet into UK and EU (where SS1/23 and the EBA AML/CFT guidelines still apply to GenAI) and US (where SR 11-7 no longer does, pending the forthcoming RFI).
• Added a paragraph noting that the US carve-out shifts obligations onto fair-lending law (ECOA/Reg B), the FCRA adverse-action regime, FFIEC TPRM expectations, SEC anti-fraud authority, NYDFS Part 500, and state-level AI legislation (Colorado AI Act, California DFPI) rather than removing them.
• Added links to PRA SS1/23 and OCC Bulletin 2026-13.

No mitigations are affected — the engineering control surface (validation, observability, version pinning, explainability, audit) is unchanged. Only the regulatory framing shifts.

Test plan

• scripts/lint-check passes
• Reviewer to confirm framing of the US/UK divergence is consistent with how the working group wants to position jurisdictional differences
• Reviewer to spot-check Jekyll render of the updated bullets and Links section