Every Model Matters

Key Points at a Glance

• AI is rapidly being adopted in the European banking sector, from credit processes and risk assessment to customer interaction, and is subject to a fragmented regulatory framework comprising the EU AI Act, MaRisk, and ECB and EBA regulations.
• What constitutes a “model,” “AI system,” or “AI model” is defined inconsistently across supervisory standards. In practice, institutions adopt a variety of approaches to differentiation: fully integrated, parallel, and separate but cross-referenced governance architectures.
• All banks face five core challenges: scoping AI, governance along the three lines of defense, proportionality, third-party risks, and AI-specific validation.
• Model risk management is evolving from a reactive gatekeeper to a proactive enabler of responsible AI innovation.
• The white paper encourages dialogue between industry and regulators, with the goal of establishing a flexible, principles-based framework that harmonizes AI supervision and model risk management.

AI is transforming banking. Is it also changing model risk management?

Artificial intelligence is already well established in the European banking sector. It supports lending decisions, accelerates risk assessments, shapes customer interactions, and automates processes across nearly all business functions. With this momentum, regulatory requirements are growing rapidly: the EU AI Act establishes, for the first time, a comprehensive, risk-based legal framework for AI, while MaRisk, the ECB’s guidelines for internal models, and other supervisory requirements are being further developed in parallel.

This creates a complex set of challenges for banks. Even the question of what constitutes a “model,” “AI system,” or “AI model” is answered differently depending on the regulatory standard. Added to this are growing requirements regarding explainability, fairness, the handling of third-party providers, and the validation of dynamic processes such as generative AI or agent-based systems. Traditional model risk management approaches are increasingly reaching their limits in this context.

One Goal, Many Paths: A Comparison of Practical Implementations

How can AI be integrated into an existing model risk management framework without stifling innovation or underestimating risks? Drawing on real-world case studies, this white paper illustrates how varied the approaches are. It compares three leading German banks. They differ in size, business model, systemic importance, and regulatory exposure, and their strategies reflect this diversity.

The spectrum ranges from fully integrated governance models, in which AI and traditional models are managed under one roof, to deliberately parallel architectures with independent control loops, to separate structures that are interlinked through consistent cross-references. As different as these approaches are, the common finding is clear: there is no single correct path, but rather a range of valid approaches that must be tailored to the respective organization.

Rethinking Model Risk Management: From Gatekeeper to Enabler

The insights from the three case studies all point to a common message: model risk management has historically been designed as a controlling function within the model lifecycle, often perceived as a barrier between the initial idea and deployment. In a world where AI applications are emerging and evolving in ever-shorter cycles, this role is no longer sufficient. Those who want to enable innovation while managing it responsibly need a model risk management approach that provides early guidance and sparring, and that is designed in collaboration with business units.

For this transformation to succeed, not only internal change is needed, but also an appropriate regulatory framework. The institutions featured in the paper advocate for a flexible, principles-based approach that integrates AI supervision and model risk management and leaves room for technological advancement. The white paper is intended as a contribution to precisely this dialogue between industry and regulators.