Governing the Invisible: Why Spreadsheets Are Still Models And the Regulatory Stakes Have Never Been Higher

The US (SR 26-2) and UK (SS1/23) regulatory divergence has created a compliance crisis for global banks. Learn why EUC/spreadsheet governance is essential and the six non-negotiable actions your MRM function must take to comply.

Henry Umney
Henry Umney May 14, 2026 18 min read
Mitratech GRC Solutions

Six years ago, the conversation about spreadsheet risk governance was largely about convincing financial institutions that the problem existed. Most accepted that SR 11-7 applied to their formal model inventory; far fewer had grappled seriously with the thousands of business-critical spreadsheets, calculators, and end-user computing tools that fed those models but lived entirely outside any governance framework.

That conversation is over. Today, regulators in the United States, United Kingdom, Canada and even Bermuda, to name a few, have all issued or substantially revised their model risk management frameworks, and the question is no longer whether spreadsheets require governance — it is whether your institution’s governance architecture can handle a world in which four major regulatory regimes have answered that question in subtly, and in one critical respect dramatically, different ways.

For globally active banks operating under both US Federal Reserve supervision and the oversight of the Prudential Regulation Authority, OSFI, or the Bermuda Monetary Authority, that divergence is not merely an academic concern. It is a live compliance risk — one that cannot be resolved by applying the most permissive standard and hoping the others will follow.

What's Inside
  1. The Problem That Hasn't Gone Away
  2. A New Regulatory Era: SR 26-2 vs SS1/23
  3. The International Consensus:  OSFI E-23, the BMA, and the Direction of Travel 
  4. The Asymmetry at the Heart of Global Compliance
  5. Six Actions for Globally Active Banks
  6. The Questions Every MRM Function Should Be Asking Right Now
  7. Conclusion: The Governance Imperative Is Greater, Not Lesser
  8. Frequently Asked Questions

The Problem That Hasn’t Gone Away

End-user computing applications — spreadsheets, calculators, Python notebooks, and the countless other tools that business units build and operate outside formal IT governance — remain the single largest source of uncontrolled model risk in most financial institutions. Surveys conducted across major banks consistently find EUC populations numbering in the tens of thousands. A fraction are formally inventoried. Fewer still are subject to independent validation, change control, or structured documentation.

The risks are not theoretical. Errors in spreadsheet-based pricing models, capital calculators, and stress-testing tools have produced material financial misstatements, regulatory breaches, and reputational damage at institutions of every size. The JP Morgan London Whale loss, Fannie Mae’s 2003 restatement, and a catalog of smaller but equally significant incidents trace a direct line back to inadequately governed EUC tools.

What has changed in six years is not the nature of the risk. It is the regulatory expectation — and the sophistication of the response that regulators now demand. 

Understanding the full scope of your firm’s end-user computing risk is the necessary starting point.

A New Regulatory Era: SR 26-2 vs SS1/23

The period from 2023 to 2026 has produced the most significant regulatory refresh of model risk management standards since SR 11-7 was published in 2011. The UK and the US have both acted — but in fundamentally different directions. Understanding that divergence is now the central challenge of MRM governance for any institution with a cross-border footprint.

United Kingdom — PRA SS1/23: Broad Scope, Binding, Already in Force

In May 2023, the Prudential Regulation Authority published Supervisory Statement SS1/23, setting out five model risk management principles that came into legal force on 17 May 2024. SS1/23 is the most comprehensive MRM framework issued by a major regulator to date, and it is unambiguous on the question of spreadsheets: end-user computing applications and offline spreadsheet calculations are explicitly within scope.

SS1/23 also draws in what the PRA terms ‘deterministic quantitative methods’ (DQMs) — decision-based rules or algorithms that fall outside the strict model definition but, where material and complex, are expected to be governed under the relevant aspects of the MRM framework. Many of the EUC tools that proliferate inside business units — rule-based pricing calculators, threshold-driven risk classifiers, spreadsheet-embedded decision logic — are textbook examples of DQMs.

The five principles establish a comprehensive and enforceable architecture for model risk governance across every in-scope institution:

Principle 1: Model Identification and Classification — firms must maintain a comprehensive, current inventory of all models, including EUC tools used in material decisions. Shadow populations are not tolerated.

Principle 2: Governance and Accountability — board-level accountability for model risk is required. MRM must be a standalone risk discipline with named ownership at every level, not a sub-function of model validation.

Principle 3: Model Development and Implementation — purpose, methodology, data sources, assumptions, and limitations must be documented for all in-scope tools, including those operated by individual business units.

Principle 4: Model Validation — independent validation of all material models with outcomes formally reported to senior governance. Validation intensity must reflect model materiality and complexity.

Principle 5: Model Risk Monitoring and Reporting — ongoing performance monitoring, outcome analysis, and structured escalation of model risk findings to the board.

SS1/23 initially applies to banks, building societies, and PRA-designated investment firms with internal model approvals for regulatory capital — but its principles apply to all models wherever they are used within those firms, without carve-outs for EUC tools or business-unit-operated applications. The PRA has already commenced supervisory engagement with the first cohort. Firms that have not yet conducted a formal self-assessment are already behind the curve.

United States — Federal Reserve / OCC / FDIC SR 26-2: A Deliberate Narrowing

On 17 April 2026, the Federal Reserve, OCC, and FDIC jointly issued SR 26-2, replacing SR 11-7 as the primary US model risk management guidance. The revision reflects fifteen years of accumulated supervisory experience, significant industry feedback, and the transformation of modeling practice brought about by machine learning and generative AI.

SR 26-2 retains the core architecture of SR 11-7 — model development and implementation, validation, and governance and controls — and updates it for the modern modeling environment. It is calibrated to each institution’s size and model risk profile, applying most directly to organisations with over $30 billion in total assets. On most dimensions, it represents a sensible modernization of a framework that had remained largely unchanged for fifteen years.

On one dimension, however, it breaks sharply from the international consensus that has been forming around it — and that break has direct consequences for global banks:

SR 26-2: The Spreadsheet Exclusion

SR 26-2 explicitly excludes ‘simple arithmetic calculations, such as those found within spreadsheets, as well as deterministic rule-based processes and software’ from the definition of a model. This is a substantive narrowing of SR 11-7, whose expansive definition had been broad enough to capture a wide range of EUC tools — and which most institutions had interpreted as doing exactly that.

Banks that had classified basic spreadsheet calculators as models for US supervisory purposes may formally reclassify them as out of scope. The guidance is non-prescriptive and does not set enforceable standards, though supervisory action remains available where inadequate model risk management results in unsafe or unsound practices. Generative and agentic AI are similarly placed outside SR 26-2’s scope.

The rationale is not unreasonable: SR 11-7’s expansive definition had generated model inventories of extraordinary size, making meaningful risk-based prioritization difficult and consuming governance resources that could have been focused on genuinely complex tools. SR 26-2 attempts to recalibrate that balance. The problem is that it does so in a way that creates a direct and unresolved tension with the PRA’s binding requirements — a tension that falls squarely on the compliance functions of globally active banks.

The International Consensus:  OSFI E-23, the BMA, and the Direction of Travel

The PRA’s position is not an outlier. Other major regulators have moved in the same direction — treating EUC governance as a baseline expectation rather than an optional enhancement. Two examples are instructive.

Canada’s OSFI published its updated Guideline E-23 on Model Risk Management in September 2025, effective May 2027. Like SS1/23, it takes a broad, principles-based approach that explicitly encompasses AI and machine learning systems as well as traditional EUC tools. Notably, E-23 extends to foreign bank branches operating in Canada — meaning US banks with Canadian operations face a third definitional standard that aligns with the PRA, not the Fed.

The Bermuda Monetary Authority has similarly strengthened its model governance expectations, with requirements effective from December 2024 that include documented data policies, board-level model oversight, and an AI governance framework covering all BMA-regulated entities. The BMA’s outcomes-based approach draws explicitly on Basel Committee principles and is consistent with the direction taken by the PRA and OSFI.

The pattern is clear: among the major financial regulatory jurisdictions, SR 26-2’s definitional narrowing is the exception, not the rule. The international direction of travel is toward broader EUC scope, stronger board accountability, and binding enforcement — not away from it.

The Asymmetry at the Heart of Global Compliance

The divergence between SR 26-2 and SS1/23 is not a nuance to be managed at the margins of a compliance program. It is a structural tension that sits at the center of the MRM framework for any bank regulated by both the Federal Reserve and the PRA — and it cannot be resolved by choosing one standard over the other.

The Core Tension

SR 26-2 explicitly excludes simple arithmetic spreadsheet calculations from the US model definition, narrowing the scope of domestic model risk governance obligations.
SS1/23 explicitly includes EUC tools and spreadsheet-based calculations within the scope of UK model risk governance obligations — as a binding supervisory requirement, not guidance.

A bank regulated by both the Fed and the PRA cannot apply the US exclusion to its UK entity. The PRA’s requirements govern UK operations regardless of what the Fed permits domestically. Canada’s E-23 and the BMA’s requirements reinforce the same conclusion for those jurisdictions.

The practical consequences for globally active institutions are significant:

  • Governance bifurcation risk: A centralized MRM function that reads SR 26-2’s narrowing as an enterprise-wide permission to reduce EUC oversight will inadvertently remove legally required PRA controls for UK operations. This is the single most dangerous misreading of the new US guidance — and given that global MRM governance is frequently managed from a US center of excellence, the risk of it occurring is real.
  • Inventory architecture: A bank cannot satisfy both SR 26-2 and SS1/23 with an undifferentiated enterprise model inventory. The only viable solution is a single authoritative inventory enriched with jurisdiction-level classification — one that can produce a narrower population for US supervisors and a broader one for the PRA, from the same underlying data, without manual reconciliation.
  • Validation program conflict: SS1/23 requires independent validation of all material models, including EUC tools, with outcomes formally reported to senior governance bodies. SR 26-2 allows validation intensity to be calibrated to the model risk profile. For a global bank, its UK validation team may be required to validate tools that the US team has formally moved off the model inventory — creating direct resourcing conflicts and potential gaps in the UK validation program that the PRA will be looking for.
  • AI and EUC convergence: As AI-assisted tools proliferate — AI-generated code embedded in spreadsheets, Python notebooks operated by business units, LLM-assisted calculators — the boundary between SR 26-2’s excluded “simple arithmetic” and SS1/23’s included EUC tools will become an active area of supervisory debate on both sides of the Atlantic. Firms that have not established clear governance for these tools before regulators force a classification will find themselves managing the problem reactively, not proactively.

The conclusion for globally active institutions is unambiguous: the highest applicable standard governs. SR 26-2’s domestic narrowing offers no relief to a PRA-regulated entity in London, and OSFI’s E-23 and BMA requirements extend the same principle to Canadian branches and Bermuda-regulated entities. There is no jurisdiction in which reducing EUC governance on the back of the US guidance is the right answer. 

Six Actions for Globally Active Banks

The multi-jurisdictional complexity outlined above does not reduce the imperative for robust EUC governance — it intensifies it. The following actions are non-negotiable for institutions with cross-border regulatory exposure.

  1. Build a Jurisdiction-Aware Model Inventory

    Enterprise model inventories must be architected to carry regulatory jurisdiction metadata from the outset. Every tool, EUC application, calculator, and model should be tagged against the regulatory regimes to which it is subject. This is not about maintaining two separate inventories — it is about enriching one authoritative inventory with the classification logic to produce jurisdiction-specific views on demand.

    A spreadsheet may be classified as ‘non-model’ for SR 26-2 purposes while simultaneously being ‘in-scope EUC’ under SS1/23. Both classifications must be recorded, reportable, and auditable. Reducing the total inventory to match the narrowest applicable definition is not a solution — it is a compliance failure waiting to be found.

  2. Complete a SS1/23 Self-Assessment — and Act on the Findings

    PRA supervisory engagement against SS1/23 is already underway. For institutions with internal model approvals for regulatory capital, the window for comfortable remediation is closing.

    A structured self-assessment against each of the five principles — with particular focus on EUC identification, documentation standards, and the independence of validation arrangements — should be a standing item on the board risk committee agenda in 2026.

    The PRA has been clear on what is required and has signalled that supervisory findings in this area will be taken seriously. Firms should not wait for the regulator to identify gaps that are visible to any honest internal review. Where remediation plans exist, they need credible timelines and senior ownership.

  3. Read SR 26-2 Carefully — It Is Not a License to Reduce Governance 

    SR 26-2’s exclusion of simple spreadsheet arithmetic is a definitional adjustment for US supervisory purposes. It does not signal that EUC risk has diminished, that governance infrastructure is unnecessary, or that the broader regulatory community has changed its view — because it has not.

    Institutions with EUC governance programmes built under SR 11-7 should retain those controls for three reasons. First, complex or material spreadsheet tools will still meet SR 26-2’s model definition — the exclusion applies only to simple arithmetic, not to the tool category.

    Second, SS1/23 requires explicit EUC governance for all UK-regulated entities regardless of what the Fed has said. Third, operational risk and internal audit functions will continue to assess EUC risk as a standalone discipline, irrespective of model definitional boundaries — and external auditors will follow suit.

  4. Establish a Clear Policy on the US / UK Divergence 

    The most operationally urgent task for any globally active bank is not completing a gap assessment or updating an inventory — it is establishing a documented governance policy that explicitly addresses the asymmetry between SR 26-2 and SS1/23.

    Without this, the risk is that individual teams and business lines resolve the ambiguity informally, in different directions, creating inconsistent standards across entities that share the same tools and data.

    That policy needs to answer, at minimum: how are EUC tools classified across jurisdictions; which standard governs validation requirements for tools used in both US and UK operations; and how does the institution demonstrate to the PRA that its UK EUC governance is not being diluted by US definitional choices made at the group level.

  5. Get Ahead of the AI and EUC Convergence 

    The most significant governance gap on the near-term horizon sits at the intersection of AI and end-user computing. Business users are deploying Python notebooks, AI-generated code, and LLM-assisted calculators that perform material calculations entirely outside formal IT governance.

    These tools occupy a contested regulatory space: potentially excluded by SR 26-2’s simple arithmetic carve-out, almost certainly within SS1/23’s EUC scope — and, where they embed material decision logic, squarely within the PRA’s DQM scope — and explicitly captured by OSFI E-23’s AI/ML model definition.

    The PRA has not yet issued specific guidance on AI-assisted EUC tools. Still, its principles-based framework is wide enough to capture them, and supervisory attention to AI governance is intensifying across all major regulators. Institutions that extend their EUC identification, risk-rating, and governance processes to these tools proactively will be better placed than those waiting for a supervisory finding to force the issue.

  6. Automate for the Dual-Jurisdiction Reality 

    Manual governance processes — email-based change approvals, spreadsheet-based register models, fragmented documentation repositories — were inadequate for a single-jurisdiction MRM framework. They cannot support simultaneous compliance with SR 26-2 and SS1/23, which have different scope definitions, documentation standards, validation obligations, and board accountability requirements.

    An effective MRM technology platform for globally active institutions must now deliver:

    • An enterprise model inventory with jurisdiction tagging, risk-tier classification, and full lifecycle tracking — capable of producing a PRA-compliant view and an SR 26-2-compliant view from the same underlying data.
    • Automated workflow management for change control, access control, and approval chains — with immutable audit trails that satisfy PRA documentation and auditability standards.
    • Integrated validation management with independence tracking, outcome documentation, and automated escalation to governance bodies — meeting SS1/23 Principle 4 requirements.
    • Board and regulatory reporting that produces jurisdiction-specific outputs without manual reconciliation — so that US and UK reporting obligations can be met from a single source of truth.
    • EUC discovery and continuous monitoring that identifies new or changed Models and DQMs before they become a regulatory finding — essential given the speed at which business-unit computing environments evolve.

The Business Case Has Fundamentally Changed

Until recently, the argument for investing in EUC governance technology was primarily risk-reduction: uncontrolled spreadsheets create model errors, and model errors create losses. That argument remains valid.

In 2026, it has a second, more urgent dimension: regulatory compliance. SS1/23 is the binding law for PRA-regulated entities. Manual processes cannot satisfy their documentation, validation, and reporting obligations. For globally active banks, technology investment in MRM infrastructure is no longer an enhancement to best practice — it is the minimum required to demonstrate compliance.

The Questions Every MRM Function Should Be Asking Right Now

The model risk management agenda has grown in complexity, but the diagnostic questions remain the same in structure — it is the stakes that have risen. Institutions should be actively examining:

1. Does your model inventory reflect SS1/23’s scope for UK-regulated entities?

Specifically, does it include EUC Models and DQMs that are explicitly in scope under the PRA’s five principles, regardless of how they are classified under SR 26-2?

2. Has a formal SS1/23 self-assessment been completed and presented to the board?

Are remediation timelines credible and on track ahead of PRA supervisory engagement?

3. Is there a documented, board-approved policy resolving the SR 26-2 / SS1/23 asymmetry?

One that prevents the US definitional narrowing from being applied by group-level governance functions in a way that strips PRA-required controls from UK entities?

4. How are AI-assisted tools being classified and governed across US and UK operations?

Does the current framework satisfy SS1/23’s EUC scope requirements for Python notebooks, AI-generated code, and LLM-assisted calculators operated by business units?

5. Can the institution produce board-level model risk reporting satisfying both the PRA and the Fed?

From a single data source, without manual reconciliation?

6. What is the current state of EUC discovery?

Is the firm confident its UK model inventory captures the full population of material EUC Models and DQMs — including those being built today in business units outside formal IT governance?

Conclusion: The Governance Imperative Is Greater, Not Lesser

Six years ago, the argument that critical spreadsheets are models — and require the same governance rigor as formally recognized models — was a position that many institutions were still debating. That debate is over. The PRA has legislated it. OSFI has formalized it. The BMA expects it. And even the US Federal Reserve, which has narrowed its model definition for domestic purposes, has not suggested that EUC risk has ceased to exist or that governance is optional for complex tools.

What the past six years have produced is not a simpler governance landscape — it is a more demanding one. The institutions that will navigate it successfully are those that invest in purpose-built MRM infrastructure capable of managing multi-jurisdictional inventory requirements, automated governance workflows, and board-level reporting across regulatory regimes that do not fully align with one another.

The question is not whether your spreadsheets are models. Three of the four major regulators have answered that for you. The question is whether your governance infrastructure is built for the regulatory world as it exists in 2026, not as it was designed for in 2011.

Frequently Asked Questions

Does SR 26-2 replace SR 11-7?

Yes. SR 26-2, issued jointly by the Federal Reserve, OCC, and FDIC in April 2026, replaces SR 11-7 as the primary US model risk management guidance. It retains SR 11-7’s core framework but updates it for machine learning and generative AI, and narrows the model definition to exclude simple arithmetic spreadsheet calculations.

Are spreadsheets in scope under PRA SS1/23?

Yes, explicitly. SS1/23, which came into legal force in May 2024, includes end-user computing applications and offline spreadsheet calculations within the scope of model risk governance obligations. This applies to all material tools used within PRA-regulated firms, without carve-outs for business-unit-operated spreadsheets.

What is the key difference between SR 26-2 and SS1/23 on EUC tools?

SR 26-2 (US) excludes ‘simple arithmetic calculations, such as those found within spreadsheets’ from the definition of a model. SS1/23 (UK) explicitly includes EUC tools and spreadsheet calculations within model risk governance scope as a binding legal requirement. For globally active banks, both standards apply simultaneously to their respective jurisdictions.

Does SR 26-2 apply to UK banks?

SR 26-2 is US guidance applicable to federally regulated US financial institutions. It does not apply to a bank’s UK-regulated entity, which remains subject to PRA SS1/23. A globally active bank cannot apply SR 26-2’s EUC exclusion to its UK operations — the PRA’s binding requirements govern UK entities regardless of what the Fed permits domestically.

What does OSFI E-23 say about EUC and spreadsheet governance?

OSFI’s updated Guideline E-23, published September 2025 and effective May 2027, takes a broad principles-based approach that encompasses AI/ML systems as well as traditional EUC tools. Crucially, it extends to foreign bank branches operating in Canada, meaning US banks with Canadian operations face a third definitional standard that aligns with the PRA, not SR 26-2.

More Like This:

Building the Business Case for Enhanced Model Risk Management

The scrutiny surrounding Model Risk Management (MRM) continues to grow, as regulators focus on SS3/18 and Operational Resilience, and management...

Koren Stefan
Spreadsheet Risk Management is Key to GRC Success in Organizations

Spreadsheets are integral to your operations. How can you manage their risks?

Mitratech Staff
Empower. Automate. Elevate. Mitratech

©2026 Mitratech, Inc. All rights reserved.

Empower. Automate. Elevate. Mitratech

©2026 Mitratech, Inc. All rights reserved.