Does SR 11-7 really apply to my $800M community bank?

Yes. SR 11-7 applies to all banking organizations supervised by the Federal Reserve that use models in any material decision-making — and 'material' is interpreted broadly at examination time. For community banks, the practical scope is fraud-detection models, AML transaction monitoring, credit decisioning, ALM models, and increasingly any AI feature your core processor enabled by default. The expectation is documented inventory, validation, ongoing monitoring, and board reporting. The size of the program scales with the bank; the requirement to have one does not.

Our core processor handles security. Isn't that enough?

Your core processor handles their environment. They do not handle your branch network, your remote-deposit endpoints, your loan-origination platform, your AI vendors, your DMARC posture, your wire-verification protocol, or your board's third-party AI governance. The 2023 Interagency Guidance on Third-Party Relationships made it explicit: outsourcing the activity doesn't outsource the responsibility. You own the program; the core processor is one vendor in it.

How does an OCC or NCUA examination of cyber controls actually go?

The examiner-in-charge requests your information security program, your most recent risk assessment, your incident response plan, your tabletop results, your vendor management documentation, and your board minutes for the period under exam. They sit with your designated security officer for a half-day interview. They sample 5-8 third-party relationships and trace ongoing monitoring evidence. Findings come at MRA/MRBA level if documentation is missing, at MRBA level if controls themselves are missing, and at enforcement-action level if the gap is material and persistent.

What does an EFROS engagement look like for a community FI?

A 10-day fixed-fee scoping engagement that produces an SR 11-7 model inventory, a third-party AI governance gap analysis, a BEC and wire-fraud defense audit, an examination-readiness review against your most recent ROE, and a 90-day remediation roadmap. If you continue on retainer, the audit fee credits toward your first quarter. Most community banks and credit unions retain at $8,500-18,000/month depending on asset size, AI footprint, and core platform.

What should our bank do this week?

Pull a list of every third party that processes member or customer data, makes credit decisions, or uses AI/ML in any function. Check which ones have current SOC 2 Type 2 reports on file and which ones have evidence of ongoing monitoring (not just initial due diligence). Then audit your DMARC record at the domain registrar — if it's still p=none or missing, you're absorbing phishing risk that's cheap to close.

For owners of community banks & credit unions

Cybersecurity for community bank CEOs — not Wall Street.

Your bank serves a town, not the world. You're under SR 11-7 examination just like the big banks — but with a fraction of their model risk team. You don't need a SOC to satisfy an OCC examiner. You need an operator who's done it.

This is the owner version: how community FIs in your asset band actually get hit, what BEC and ransomware cost, the examiner expectations that don't scale with bank size, and what an EFROS engagement looks like for you.

Run the Cost-of-Getting-Hit Calculator →Book 20 min

By Stefan Efros, CEO & Founder, EFROSReviewed by Daniel Agrici, Chief Security Officer, EFROS

Reviewed by CSO · May 13, 2026

The shift

Why owners of community banks are getting hit more, not less

Attackers have moved down-market. Money-center banks invested for a decade and made themselves expensive targets. Community FIs in the $300M-$5B AUM band still process meaningful dollar volumes, run on outsourced cores, and have fraud-detection coverage built for a prior decade. From the attacker's economics, you're a softer target with adjacent depositor wealth — and they know your examiner expectations are tightening, not loosening.

The second shift is examiner posture. The OCC, FDIC, and NCUA all published or reaffirmed third-party risk guidance in 2023-2024 and explicitly signaled AI governance as a 2025-2026 focus area. You don't need to be doing something exotic with AI to be in scope — your core processor enabling an AI feature is enough to put the question on the next exam.

Industry stat:OCC and FDIC together reported 41 formal enforcement actions citing cybersecurity controls in 2024 — 73% against community banks under $5B AUM. Most started as MRA findings that didn't get remediated before the next examination cycle.

The five ways community FIs get hit

The 5 ways community banks get attacked

Drawn from FFIEC published cyber incident data, FBI IC3 reports, and the incident pattern across community FIs and credit unions we've worked with.

Wire fraud and Business Email Compromise (BEC)

An attacker spoofs the CEO or a senior commercial client and emails the back office an urgent wire instruction. By the time someone calls to confirm, the funds have hit a money mule. The FBI IC3 report tracks $2.9B in 2024 BEC losses.

ATM jackpotting and card-fraud schemes

Coordinated card-skimming or ATM cassette dispenser attacks on the bank's network. Smaller banks see this less but the per-incident loss is meaningful and the OCC examiner will ask about your monitoring of the ATM driver and switch.

Model risk gaps in third-party AI fraud-detection vendors

Your fraud-detection or AML vendor uses ML models you can't fully inspect. SR 11-7 still holds you accountable for model performance, bias testing, and ongoing validation — even when the model isn't yours.

Examiner findings on third-party AI use

OCC, FDIC, and NCUA all signaled in 2024-2025 that AI use by community FIs is in scope at the next examination cycle. Vendor due diligence, ongoing monitoring, and board-level governance all get tested. Findings stack at MRBA/MRA level if you can't produce documentation.

Customer phishing impersonating the bank

Attackers send your customers SMS or email that looks like it came from you, harvesting credentials and account numbers. You absorb the fraud losses and the brand damage. DMARC enforcement at p=reject is the single highest-leverage control.

What it costs when it happens

Best, average, worst — the dollar reality

Modeled on published Reports of Examination, FFIEC cyber incident data, and the work we've done for community banks and credit unions in the $300M-$5B AUM band.

Best case

Insured + prepared

$85k – $320k

Strong DMARC and BEC controls catch most attempts. Cyber policy active. Single wire fraud event reversed via FinCEN Kill Chain. Deductible + forensics + customer notification cost.

Average case

Partial preparation

$420k – $1.6M

Multiple successful BEC events. Examiner MRA on third-party AI governance. Customer phishing wave triggers reissue of 4,000+ debit cards. Reputation hit drives some account closures in market.

Worst case

Unprepared

$1.8M – $6.5M

Ransomware shuts core processing 5+ days. Multi-million BEC unrecovered. OCC enforcement action with civil money penalty. NCUA or FDIC consent order. CRA implications. Board chair resignation.

Ranges are illustrative. For a personalized estimate calibrated to your AUM, branch count, and current controls, run the Cost-of-Getting-Hit calculator.

The examiner expectations

Community-FI-specific risk highlights

1
SR 11-7 (Federal Reserve Supervisory Letter on Model Risk Management) — applies to AI/ML models whether built in-house or vendor-supplied
2
FFIEC IT Examination Handbook — Information Security, Business Continuity, Outsourcing booklets are the examiner's actual test material
3
GLBA Safeguards Rule — written information security program, designated qualified individual, and tested incident response plan are minimum
4
Interagency Guidance on Third-Party Relationships (June 2023) — replaces prior OCC/FDIC/Fed guidance; applies to ALL critical third parties including AI
5
State banking commissioner notification — most states require notification within 36-72 hours; the FFIEC notification rule applies on top

What we actually do

What an EFROS engagement looks like for a community FI

We start with a 10-day fixed-fee scoping engagement. We pull your most recent ROE, your information security program, your model inventory if you have one, and your third-party register. We inventory the AI features your core, fraud-detection, AML, and loan-origination vendors have enabled — many of which your team didn't know were active.

We map each model and AI feature to SR 11-7 and the 2023 Interagency Guidance. We document validation evidence, ongoing monitoring evidence, and board reporting evidence — and surface the gaps before the next examiner finds them. We audit your DMARC, your wire-verification protocol, and your customer-facing phishing defenses.

On retainer we run the operating model: quarterly model and vendor review, tabletop exercises against the actual incident patterns hitting peer FIs, an incident-response runbook your examiner will accept, and a quarterly board-grade summary your audit committee can review on a single page. We coordinate with your existing GLBA-required qualified individual or step in as the program owner.

Flat-fee retainer — typically $8,500-18,000 per month depending on AUM, branch count, AI footprint, and core platform. We don't charge by ticket. We don't upsell tools. We run the program and we're in the room when the examiner shows up.

What these incidents actually look like

Three ways to start

The calculator and quiz are anonymous and take under 5 minutes. The 20-minute call is a scoping conversation, not a sales pitch.

Run Cost-of-Getting-Hit Run Are-You-Ready Quiz Book 20 min