CECL Q&A with Gavin Harding and Jose Tagunicar

Model inventories are rapidly expanding. AI-enabled tools are entering workflows that were once deterministic and decisioning environments are more interconnected than ever. At the same time, regulatory scrutiny around model risk management continues to intensify. In many institutions, classification determines validation depth, monitoring intensity, and escalation pathways while informing board reporting. If classification is wrong, every downstream control is misaligned. And, in 2026, model classification is no longer just about assigning a tier, but rather about understanding data lineage, use case evolution, interdependencies, and governance accountability in a decentralized, AI-driven environment. We recently spoke with Mark Longman, Director of Analytics and Regulatory Technology, and here are some of his thoughts around five blind spots risk and compliance leaders should consider addressing now. 1. The “Set It and Forget It” Mentality The Blind Spot Model classification frameworks are often designed during a regulatory remediation effort or inventory modernization initiative. Once documented and approved, they can remain largely unchanged for years. However, model risk management is an ongoing process. “There’s really no sort of one and done when it comes to model risk management,” said Longman. Why It Matters Classification is not merely descriptive, it’s prescriptive. It drives the depth of validation, the frequency of monitoring, the intensity of governance oversight and the level of senior management visibility. As Longman notes, data fragmentation is compounding the challenge. “There’s data everywhere – internal, cloud, even shadow IT – and it’s tough to get a clear view into the inputs into the models,” he said. When inputs are unclear, tiering becomes inherently subjective and if classification frameworks are not reviewed regularly, governance intensity can become misaligned with real exposure. Therefore, static classification is a growing risk, especially in a world of rapidly expanding AI use cases. In a supervisory environment that continues to scrutinize model definitions, particularly as AI tools proliferate, a dynamic, periodically refreshed classification process can demonstrate institutional vigilance. 2. Assuming Third-Party Models Reduce Governance Accountability The Blind SpotThere is often an implicit belief that vendor-provided models carry less governance burden because they were developed externally. Why It Matters Vendor provided models continue to grow, particularly in AI-driven solutions, but supervisory expectations remain firm. “Third-party models do not diminish the responsibility of the institution for its governance and oversight of the model – whether it’s monitoring, ongoing validation, just evaluating drift model documentation,” Longman said. “The board and senior managers are responsible to make sure that these models are performing as expected and that includes third-party models.” Regulators consistently emphasize that institutions remain responsible for the outcomes produced by models used in their decisioning environments, regardless of origin. If a vendor model influences credit approvals, pricing, fraud decisions, or capital calculations, it directly affects customers, financial performance and compliance exposure. Treating third-party models as inherently lower risk can also distort internal tiering frameworks. When vendor models are under-classified, validation depth and monitoring rigor may be insufficient relative to their true impact. 3. Limited Situational Awareness of Model Interdependencies The Blind Spotfeed multiple downstream models simultaneously. Why It Matters Risk often flows across interdependencies. When upstream models degrade in performance or introduce bias, downstream models inherit that exposure. If multiple material decisions depend on the same data transformation or feature engineering process, concentration risk emerges. Without visibility into these dependencies, tiering assessments may underestimate cumulative risk, and monitoring frameworks may fail to detect systemic vulnerabilities. “There has to be a holistic view of what models are being used for – and really somebody to ensure there’s not that overlap across models,” Longman said. Supervisors are increasingly interested in understanding how model risk propagates through business processes. When institutions cannot articulate how models interact, it raises broader concerns about situational awareness and control effectiveness. Therefore, capturing interdependencies within the classification framework enhances more than documentation. It enables more accurate tiering, more targeted monitoring and more informed governance oversight. 4. Excluding Models Without Defensible Rationale The Blind SpotGray-area tools frequently sit outside formal inventories: rule-based engines, spreadsheet models, scenario calculators, heuristic decision aids, or emerging AI tools used for analysis and summarization. These tools may not neatly fit legacy definitions of a “model,” and so they are sometimes excluded without robust documentation. Why It Matters Regulatory definitions of “model” have broadened over time. What creates risk is the absence of defensible reasoning and documentation. Longman describes the risk clearly: “Some [teams] are deploying AI solutions that are sort of unbeknownst to the model risk management community – and almost creating what you might think of as a shadow model inventory.” Without visibility, institutions cannot confidently characterize use, trace inputs, or assign appropriate tiers, according to Longman. It also undermines the credibility of the official inventory during examinations. A well-governed program can articulate why certain tools fall outside model risk management scope, referencing documented criteria aligned with regulatory guidance. Without that evidence, exclusions can appear arbitrary, suggesting gaps in oversight. 5. Inconsistent or Subjective Classification Frameworks The Blind SpotAs inventories scale and governance teams expand, classification decisions are often distributed across reviewers. Over time, discrepancies can emerge. Why It Matters Inconsistency undermines both risk management and regulatory confidence. If two models with comparable use cases and impact profiles are assigned different tiers without clear justification, it signals that the framework is not being applied uniformly. AI adds even more complexity. When it comes to emerging AI model governance versus traditional model governance, there’s a lot to unpack, says Longman: “The AI models themselves are a lot more complicated than your traditional logistic or multiple regression models. The data, the prompting, you need to monitor the prompts that the LLMs for example are responding to and you need to make sure you can have what you may think of as prompt drift,” Longman said. As frameworks evolve, particularly to incorporate AI, automation, and new regulatory interpretations, institutions must ensure that changes are cascaded across the entire inventory. Partial updates or selective reclassification introduce fragmentation. Longman recommends formalizing classification through a structured decision tree embedded in policy to ensure consistent outcomes across business units. Beyond clear documentation, a strong classification program is applied consistently, measured objectively, and periodically reassessed across the full portfolio. BONUS – 6. Elevating Classification with Data-Level Visibility Some institutions are extending classification discipline beyond models to the data layer itself. Longman describes organizations that maintain not only a model inventory, but a data inventory, mapping variables to the models they influence. This approach allows institutions to quickly assess downstream effects when operational or environmental changes occur including system updates or even natural disasters affecting payment behavior. In an AI-driven environment, traceability may become a competitive differentiator. Conclusion Model classification is foundational. It determines how risk is measured, monitored, escalated, and reported. In a rapidly evolving regulatory and technological environment, it cannot remain static. Institutions that invest now in transparency, consistency, and data-level visibility will not only reduce supervisory friction – they will build a governance framework capable of supporting the next generation of AI-enabled decisioning. Learn more

Financial services leaders are dealing with numerous pressures at the same time. These growing challenges for financial services organizations include sophisticated fraud, rapid Artificial Intelligence (AI) adoption without clear regulatory direction, rising customer expectations and the need for compliant, sustainable growth. Businesses are rethinking how they manage risk, growth and customer trust. These financial industry challenges are no longer confined to internal risk teams. They directly impact long-term customer loyalty. How organizations navigate these challenges will determine how effectively they deliver value to their customers. We’ve outlined the six challenges for financial services oranizations that consistently rank highest among industry leaders today. Challenge 1: Fraud is becoming harder to detect and eroding customer trust 72% of business leaders expect AI-generated fraud and deepfakes to be major challenges by 20261 As fraud tactics evolve quickly, driven in part by AI, customers are being targeted through identity-based attacks from account takeovers to synthetic identities and misuse of personal information. When these threats go undetected, or when legitimate activity is incorrectly flagged, the result isn’t just financial loss. It’s a breakdown of trust. Organizations that want to stay ahead must move beyond isolated fraud controls. By embedding identity management and monitoring into the customer experience, organizations can move from reactive fraud response to proactive identity protection. Identity theft protection and monitoring help organizations turn fraud prevention into a visible, trust-building experience for customers — offering early alerts, guidance, and peace of mind when identity risks arise. Challenge 2: AI decisions must be trusted by customers, not just regulators 76% of businesses say implementing responsible AI is one of their biggest challenges2 As AI becomes more embedded in financial services, it shapes the experiences customers see every day. From credit decisions to eligibility outcomes and personalized offers. While AI can drive faster and more inclusive decisions, it also introduces a new expectation: customers want to understand why a decision was made. Responsible AI is no longer just about regulatory compliance. It’s about delivering outcomes that feel fair, consistent and easy to understand. When decisions appear unclear, confidence erodes. When organizations can clearly explain outcomes, not just internally, they build confidence across regulators, partners and customers. This allows AI to scale responsibly while reinforcing trust in every interaction. Financial wellness tools such as credit scores, reports and education help make AI-driven decisions more transparent, giving customers clarity into outcomes and confidence in how their financial health is assessed. Challenge 3: Digital experiences are failing to deliver clarity and confidence 57% of U.S. consumers remain concerned about conducting activities online3 Customer confidence is affected by day-to-day interactions such as onboarding, payments and issue resolution. Inconsistent decisions, unclear outcomes and friction in digital journeys can quickly erode confidence and increase confusion, disengagement and abandonment. Financial services leaders will need to rebuild and strengthen confidence. Improving key decision points with better data and analytics helps ensure customers receive timely insights, understandable outcomes and meaningful guidance, turning everyday interactions into opportunities to build stronger relationships. By delivering ongoing financial wellness insights and education, organizations can replace confusion with clarity — helping consumers better understand their financial standing and stay engaged over time. Challenge 4: Gen Z continues to raise the bar It's no secret that Gen Z stands out for its strong preference for digital financial services and digital interactions, but Gen Z is also pushing the envelope on financial wellness. 48% of Gen Z report that they do not feel financially secure, indicating strong demand for financial support and tools4 Their expectations for instant decisions, seamless digital experiences, transparency and tools that help them manage their financial lives are quickly becoming the baseline. To meet and exceed these expectations, financial institutions will need to support real-time, data-driven decisioning that adapt to individual needs. Delivering modern, app-like financial experiences, without compromising risk management. Increasingly, organizations are meeting Gen Z expectations by offering financial wellness and protection tools through employee benefits, supporting everyday financial confidence beyond traditional compensation. Challenge 5: Limited data limits meaningful consumer engagement 62 million U.S. consumers are thin-file or credit invisible under traditional credit scoring.5 Growth will always be a priority, but it must be responsible and inclusive. Traditional credit data alone often provides an incomplete picture of consumer financial behavior, limiting visibility and making it harder to confidently expand access. By incorporating alternative and expanded data, organizations can gain a more holistic view of consumers. This broader perspective supports smarter decisions, personalized insights and more inclusive engagement, which enables growth while maintaining compliance and managing risk responsibly. Expanded data supports more personalized financial wellness experiences, enabling organizations to provide relevant insights, responsible access and guidance tailored to individual consumer needs. Challenge 6: Disconnected decisions create inconsistent customer experiences Increasingly, fintech leaders are moving toward unified risk and decisioning strategies to deliver more personalized experiences6 While customers interact with a single institution, decisions are often made across disconnected data sources, systems and teams. These silos create inconsistent experiences, slow responses and operational complexities that customers feel directly through conflicting messages and uneven outcomes. Experian helps organizations break down these silos by unifying data, analytics and decisioning across the enterprise. When data incidents occur, integrated experiences enable faster data breach resolution, helping consumers understand what happened, take action, and recover with confidence. Looking ahead These challenges for financial services organizations are not emerging; they’re already here and reshaping how financial institutions engage with consumers. Leaders who proactively address financial industry challenges by connecting data, analytics, and responsible AI are better positioned to deliver trusted, transparent and meaningful experiences. Learn More References:1. https://www.experian.com/blogs/insights/2025-identity-fraud-report2. https://www.techradar.com/pro/businesses-are-struggling-to-implement-responsible-ai-but-it-could-make-all-the-difference3. https://www.experian.com/blogs/insights/2025-identity-fraud-report4. https://www.deloitte.com/global/en/issues/work/genz-millennial-survey.html5. https://www.experian.com/thought-leadership/business/the-roi-of-alternative-data6. https://us-go.experian.com/2025-state-of-fintech-report?cmpid=IM-2025-state-of-fintech-report-livesocial-share

Since 1996, The Internal Revenue Service (IRS) has issued more than 27 million individual taxpayer identification numbers (ITINs) –⁠ a 9-digit number used by individuals who are required to file or report taxes in the United States but are not eligible to obtain a Social Security number (SSN). Across the country, ITIN holders are actively contributing to their communities and the U.S. financial system. They pay bills, build businesses, contribute billions in taxes and manage their finances responsibly. Yet despite their clear engagement, many remain underrepresented within traditional lending models.  Lenders have a meaningful opportunity to bridge the gap between intention and impact. By rethinking how ITIN consumers are evaluated and supported, financial institutions can: Reduce barriers that have historically held capable borrowers back Build products that reflect real borrower needs Foster trust and strengthen community relationships Drive sustainable, responsible growth Our latest white paper takes a more holistic look at ITIN consumers, highlighting their credit behaviors, performance patterns and long-term growth potential. The findings reveal a population that is not only financially engaged, but also demonstrating signs of ongoing stability and mobility. A few takeaways include: ITIN holders maintain a lower debt-to-income ratio than SSN consumers. ITIN holders exhibit fewer derogatory accounts (180–⁠400 days past due). After 12 months, 76.9% of ITIN holders remained current on trades, a rate 15% higher than SSN consumers. With deeper insight into this segment, lenders can make more informed, inclusive decisions. Read the full white paper to uncover the trends and opportunities shaping the future of ITIN lending. Download white paper