The Case for Automated Compliance in Model Risk Management

Model inventories are rapidly expanding. AI-enabled tools are entering workflows that were once deterministic and decisioning environments are more interconnected than ever. At the same time, regulatory scrutiny around model risk management continues to intensify. In many institutions, classification determines validation depth, monitoring intensity, and escalation pathways while informing board reporting. If classification is wrong, every downstream control is misaligned. And, in 2026, model classification is no longer just about assigning a tier, but rather about understanding data lineage, use case evolution, interdependencies, and governance accountability in a decentralized, AI-driven environment. We recently spoke with Mark Longman, Director of Analytics and Regulatory Technology, and here are some of his thoughts around five blind spots risk and compliance leaders should consider addressing now. 1. The “Set It and Forget It” Mentality The Blind Spot Model classification frameworks are often designed during a regulatory remediation effort or inventory modernization initiative. Once documented and approved, they can remain largely unchanged for years. However, model risk management is an ongoing process. “There’s really no sort of one and done when it comes to model risk management,” said Longman. Why It Matters Classification is not merely descriptive, it’s prescriptive. It drives the depth of validation, the frequency of monitoring, the intensity of governance oversight and the level of senior management visibility. As Longman notes, data fragmentation is compounding the challenge. “There’s data everywhere – internal, cloud, even shadow IT – and it’s tough to get a clear view into the inputs into the models,” he said. When inputs are unclear, tiering becomes inherently subjective and if classification frameworks are not reviewed regularly, governance intensity can become misaligned with real exposure. Therefore, static classification is a growing risk, especially in a world of rapidly expanding AI use cases. In a supervisory environment that continues to scrutinize model definitions, particularly as AI tools proliferate, a dynamic, periodically refreshed classification process can demonstrate institutional vigilance. 2. Assuming Third-Party Models Reduce Governance Accountability The Blind SpotThere is often an implicit belief that vendor-provided models carry less governance burden because they were developed externally. Why It Matters Vendor provided models continue to grow, particularly in AI-driven solutions, but supervisory expectations remain firm. “Third-party models do not diminish the responsibility of the institution for its governance and oversight of the model – whether it’s monitoring, ongoing validation, just evaluating drift model documentation,” Longman said. “The board and senior managers are responsible to make sure that these models are performing as expected and that includes third-party models.” Regulators consistently emphasize that institutions remain responsible for the outcomes produced by models used in their decisioning environments, regardless of origin. If a vendor model influences credit approvals, pricing, fraud decisions, or capital calculations, it directly affects customers, financial performance and compliance exposure. Treating third-party models as inherently lower risk can also distort internal tiering frameworks. When vendor models are under-classified, validation depth and monitoring rigor may be insufficient relative to their true impact. 3. Limited Situational Awareness of Model Interdependencies The Blind Spotfeed multiple downstream models simultaneously. Why It Matters Risk often flows across interdependencies. When upstream models degrade in performance or introduce bias, downstream models inherit that exposure. If multiple material decisions depend on the same data transformation or feature engineering process, concentration risk emerges. Without visibility into these dependencies, tiering assessments may underestimate cumulative risk, and monitoring frameworks may fail to detect systemic vulnerabilities. “There has to be a holistic view of what models are being used for – and really somebody to ensure there’s not that overlap across models,” Longman said. Supervisors are increasingly interested in understanding how model risk propagates through business processes. When institutions cannot articulate how models interact, it raises broader concerns about situational awareness and control effectiveness. Therefore, capturing interdependencies within the classification framework enhances more than documentation. It enables more accurate tiering, more targeted monitoring and more informed governance oversight. 4. Excluding Models Without Defensible Rationale The Blind SpotGray-area tools frequently sit outside formal inventories: rule-based engines, spreadsheet models, scenario calculators, heuristic decision aids, or emerging AI tools used for analysis and summarization. These tools may not neatly fit legacy definitions of a “model,” and so they are sometimes excluded without robust documentation. Why It Matters Regulatory definitions of “model” have broadened over time. What creates risk is the absence of defensible reasoning and documentation. Longman describes the risk clearly: “Some [teams] are deploying AI solutions that are sort of unbeknownst to the model risk management community – and almost creating what you might think of as a shadow model inventory.” Without visibility, institutions cannot confidently characterize use, trace inputs, or assign appropriate tiers, according to Longman. It also undermines the credibility of the official inventory during examinations. A well-governed program can articulate why certain tools fall outside model risk management scope, referencing documented criteria aligned with regulatory guidance. Without that evidence, exclusions can appear arbitrary, suggesting gaps in oversight. 5. Inconsistent or Subjective Classification Frameworks The Blind SpotAs inventories scale and governance teams expand, classification decisions are often distributed across reviewers. Over time, discrepancies can emerge. Why It Matters Inconsistency undermines both risk management and regulatory confidence. If two models with comparable use cases and impact profiles are assigned different tiers without clear justification, it signals that the framework is not being applied uniformly. AI adds even more complexity. When it comes to emerging AI model governance versus traditional model governance, there’s a lot to unpack, says Longman: “The AI models themselves are a lot more complicated than your traditional logistic or multiple regression models. The data, the prompting, you need to monitor the prompts that the LLMs for example are responding to and you need to make sure you can have what you may think of as prompt drift,” Longman said. As frameworks evolve, particularly to incorporate AI, automation, and new regulatory interpretations, institutions must ensure that changes are cascaded across the entire inventory. Partial updates or selective reclassification introduce fragmentation. Longman recommends formalizing classification through a structured decision tree embedded in policy to ensure consistent outcomes across business units. Beyond clear documentation, a strong classification program is applied consistently, measured objectively, and periodically reassessed across the full portfolio. BONUS – 6. Elevating Classification with Data-Level Visibility Some institutions are extending classification discipline beyond models to the data layer itself. Longman describes organizations that maintain not only a model inventory, but a data inventory, mapping variables to the models they influence. This approach allows institutions to quickly assess downstream effects when operational or environmental changes occur including system updates or even natural disasters affecting payment behavior. In an AI-driven environment, traceability may become a competitive differentiator. Conclusion Model classification is foundational. It determines how risk is measured, monitored, escalated, and reported. In a rapidly evolving regulatory and technological environment, it cannot remain static. Institutions that invest now in transparency, consistency, and data-level visibility will not only reduce supervisory friction – they will build a governance framework capable of supporting the next generation of AI-enabled decisioning. Learn more

The days of managing credit risk, fraud prevention, and compliance in silos are over. As fraud threats evolve, regulatory scrutiny increases, and economic uncertainty persists, businesses need a more unified risk strategy to stay ahead. Our latest e-book, Navigating the intersection of credit, fraud, and compliance, explores why 94% of forward-looking companies expect credit, fraud, and compliance to converge within the next three years — and what that means for your business.1 Key insights include: The line between fraud and credit risk is blurring. Many organizations classify first-party fraud losses as credit losses, distorting the true risk picture. Fear of fraud is costing businesses growth. 68% of organizations say they’re denying too many good customers due to fraud concerns. A unified approach is the future. Integrating risk decisioning across credit, fraud, and compliance leads to stronger fraud detection, smarter credit risk assessments, and improved compliance. Read the full e-book to explore how an integrated risk approach can protect your business and fuel growth. Download e-book 1Research conducted by InsightAvenue on behalf of Experian

At Experian, we believe in fostering innovation and collaboration to solve complex challenges. Recently, Ivan Ahmed, one of our talented product management leaders at Experian Housing, had the opportunity to participate in the FHFA 2024 TechSprint, where his team won the award for the best Risk Management and Compliance idea. In this article, we share Ivan's experience as he reflects on the TechSprint, the inspiration behind his team's project, and the valuable lessons learned. Can you share your experience participating in the FHFA 2024 TechSprint? What was the atmosphere like, and how did it feel to be recognized for the best Risk Management and Compliance idea? Let me start by explaining what a TechSprint is. It is a fast-paced, high-energy collaborative workshop where diverse experts and stakeholders come together to design technological solutions to complex problems. Each team is given a high-level problem and use case. From there, stakeholders and domain experts must develop a proof of concept within 3 days to best address the problem. On the last and final day, called the “Demo Day,” teams must showcase their solution in front of a panel of judges. It’s a fun, high-energy, challenging, and rewarding experience. A TechSprint is a convergence of everything I love – technology, business, and design and I think FHFA did a wonderful job orchestrating the event. Each team consisted of representatives from different functions in the housing ecosystem, including lenders, technologists, product managers, and regulators. We were given access to a room, whiteboards, and, most importantly, delicious snacks. We were also given access to industry subject matter experts outside our teams, including representatives from Fannie Mae and Freddie Mac, FHFA, and leaders from top companies. What I found the most impactful was the ability to pressure test our ideas and solutions against these industry subject matter experts. Ideating in a vacuum can be challenging, so being able to stress test things rapidly with these experts allowed us to change course quickly as new information was introduced. Winning the best Risk Management and Compliance idea award was rewarding, especially as we were able to ideate a solution to such a critical accessibility issue. Ultimately, our goal was to help create a fairer, more equitable, and inclusive housing finance system. A big shoutout to my teammates, Wemimo Abbey, Joseph Karbowski, Will Regenauer, and Eddy Atkins. What inspired Team Arsenal to focus on identifying potential gaps in ADA compliance within multifamily buildings, and what were some of the key challenges your team faced during the process? My mother has suffered from several disabilities most of her life. With age, she has become more wheelchair-dependent, and traveling has become a major challenge. On a recent family trip, the entry to our hotel building wasn’t ADA-compliant, and I had to carry her up a flight of stairs. It was frustrating to deal with. I later went down a rabbit hole around ADA compliance and, much to my surprise, learned that only 0.15% of all homes in the U.S. are wheelchair accessible! As we explored the problem space further as a team, we learned how difficult it is to ensure that new and existing rental homes are ADA-compliant. We hypothesized that a solution is needed to establish incentives for borrowers, lenders, and GSEs to meet compliance. A technological solution could more easily enable multi-family lenders and builders to identify rental units that are non-ADA compliant and could provide ways to address the gaps. We noticed two primary challenges: an enforcement gap and an incentive gap. We learned that agency loans (Fannie Mae and Freddie Mac) account for most multi-family home loan originations. If we could tackle the enforcement challenge at the GSE level, we could set up the proper incentives for all players in the multi-family lending process. By providing tools to both the borrower and the GSE’s, we could help foster a more inclusive and accessible rental housing market. How do you envision your AI-driven solution impacting the rental housing market and improving ADA compliance for multifamily buildings? We wanted to ensure that we leveraged the true power of Generative AI, which meant that our solution could take multimodal inputs and produce multimodal outputs. For example, we could train the Generative AI model on photos of interior multi-family rental units and structured or unstructured text like building sketches, site layouts, and local building codes. We could then incorporate ADA design requirements and analyze discrepancies. The result would be a compliance report or tool outlining the adherence level to ADA design requirements and providing tips and recommendations on remediation. The solution could be delivered as a free tool by the GSEs, who could incentivize its usage by offering price concessions to borrowers. Developers could also use the tool to evaluate whether new or existing builds were ADA-compliant. How did your background and experience with Experian contribute to developing your team's winning idea at the FHFA TechSprint? Much of my role at Experian has involved exploring ways to leverage proprietary and public record property data for marketing, account review, and analytical use cases. I work very closely with property data at Experian, so I was very familiar with the types of input fields of property data that would be the most relevant to improving a generative AI model output. Specifically, in our use case, we wanted to train the model to better identify homes and features that were non-compliant with ADA and provide clear remediation steps. We knew that public record property information was available from various sources and could be leveraged as additional third-party input data to improve our model accuracy. What advice would you give to other teams or individuals looking to participate in future TechSprint events, especially those aiming to tackle complex issues like risk management and compliance? It’s important to remember that an ideal solution is both impactful and practical. Practicality is achieved when the solution has both business and technical viability. Therefore, it’s crucial to carefully vet problems and solutions by understanding their viability. Working as a team to solve the problem means leveraging the expertise of subject matter experts around you. Each team member should draw on their strengths, making the collective effort stronger than individual contribution. Most importantly, fairness, inclusivity, and accessibility matter. An effective solution should strive to have a positive social impact in addition to other considerations. Winning with purpose Ivan’s journey through the FHFA 2024 TechSprint exemplifies the innovative and collaborative spirit that drives our team at Experian. His reflections highlight the impact of well-designed technological solutions on critical issues like ADA-compliance in multifamily housing. We hope Ivan’s experience inspires others to explore their potential in solving complex problems and to participate in future TechSprints, where innovative thinking and a commitment to social good can lead to meaningful change.