OSFI updates and expands scope of Guideline E-23 for AI governance

Last month, the Office of the Superintendent of Financial Institutions (OSFI) released an updated version of Guideline E-23 (the Guideline) setting out its expectations on enterprise-wide model risk management (MRM). Effective May 1, 2027, OSFI's updates respond to the growing use of AI by adding new requirements and expanding the scope of the Guideline’s application, with significant implications for both regulated entities and their service providers.

What you need to know

• Expanded scope: the Guideline applies to all federally regulated financial institutions (FRFIs) and all models regardless of their source (i.e., internal or third party) or purpose.
• Required framework: FRFIs are expected to establish an enterprise-wide, risk-based MRM governance framework with policies and procedures that govern each stage of a model’s lifecycle.
• Key components: the Guideline emphasizes the importance of data governance, sufficient resourcing and expertise, comprehensive documentation and proportionality.
• Third parties: service providers and other businesses partnering with FRFIs should be prepared to meet heightened MRM expectations and requirements.
• Next steps: FRFIs should review their existing MRM and AI governance frameworks now to identify gaps and opportunities for enhancement to ensure compliance by May 2027.

Background and key concepts

A draft revised Guideline E-23 was published on November 20, 2023 for public consultation until March 22, 2024. The draft introduced several changes relative to the 2017 Guideline E-23: Enterprise-Wide Model Risk Management for Deposit-Taking Institutions. While many of these revisions have been retained in the final Guideline, further updates have been incorporated to reflect stakeholder feedback. For example, the 2023 draft guideline extended to federally regulated private pension plans, but the 2025 final Guideline excludes them from the scope of application.

The Guideline defines “model” broadly to capture all methodologies that process input data to generate results. In addition, artificial intelligence and machine learning (AI/ML) methods are expressly included in the definition.

Expanded scope

The most significant change to the Guideline is its expanded scope of both the entities and models governed, as well as the model risks it aims to regulate.

• Entities. The new Guideline applies to all FRFIs, including banks, foreign bank branches, life insurance and fraternal companies, property and casualty companies, and trust and loan companies.
• Models. All models are captured by the Guideline, regardless of their purpose or the materiality of their risk (so long as that risk is non-negligible).
• Third parties. The Guideline applies equally to all models used by the FRFI, regardless of whether they are developed internally or externally, and whether the data involved is from an internal or external source.

Model governance frameworks

Beyond its expanded scope, the Guideline changes its focus on the elements of an MRM framework. These elements are summarized below.

MRM framework expectations

OSFI expects FRFIs to establish an MRM framework consisting of the following elements:

• Model identification. FRFIs should have processes in place to identify and create a comprehensive inventory of models used throughout the enterprise.
• Risk assessment. FRFIs need to assess each model’s risk, with a focus on model vulnerabilities and the materiality of model impacts. Enhanced scrutiny should be applied to models with greater inherent risk.
• Risk management. A model’s inherent risk should drive the scope, scale and intensity of model governance requirements and risk mitigants.

FRFIs are expected to have policies, procedures and controls covering the full model lifecycle. These instruments are expected to be robust, comprehensively and thoroughly documented, and sufficiently flexible to accommodate technological developments and different model types and risks. They should also follow governance best practices, such as establishing clear lines of accountability.

FRFIs are also expected to allocate appropriate resources to model risk management. They are expected to be able to provide evidence that those resources are sufficient to support a sound governance framework.

Key themes of OSFI’s expectations

A number of expectations permeating the Guideline should form key considerations for FRFIs in establishing, operating and improving their MRM frameworks:

• Proportionality to risk and an institution's size, strategy, risk profile, nature, scope, complexity of operations and interconnectedness, such that disruptions could harm other financial institutions, the financial system or the broader economy.
• Engaging relevant stakeholders at every stage of the model lifecycle, and defining responsibilities and accountability for such stakeholders.
• Ensuring the involvement of a multidisciplinary team representing a wide range of expertise and functions from across the institution, including legal or ethics professionals as appropriate.
• Thorough, comprehensive and up-to-date documentation throughout the model lifecycle, as well as defined processes to identify and track all models in use or recently decommissioned.
• Robust data governance and controls with attention to appropriateness, potential bias, fairness and privacy concerns.

Expectations throughout the model lifecycle

OSFI provides expectations for FRFIs applicable to the model lifecycle. Highlights of these expectations include:

1. Design. Model design should include three main elements:
   1. Rationale. The rationale for modeling should express the model’s purpose and the specific business use case, and assess the risk of the model’s intended usage.
   2. Data. FRFIs should preserve data quality by ensuring that data is accurate and fit for use, relevant and representative, compliant, traceable and timely.
   3. Development. FRFIs should have model development processes that set clear standards for performance and documentation. In the case of AI/ML models, this includes proper training and parameter optimization.
2. Review and approval. FRFIs should have a process to independently assess conceptual soundness and performance of models. The review should validate whether models are (i) properly specified, (ii) working as intended, and (iii) fit for purpose. The approval decision should involve assessing whether the model is suitable to be implemented into production or continued based on its intended use, and should occur throughout the model lifecycle.
3. Deployment. Models should be deployed in an environment containing quality and change control processes. The model must be properly configured, tested and moved into production, which is particularly important for AI/ML models that depend on several components, diverse and dynamic data sources, and third-party elements.
4. Monitoring. FRFIs should have defined, documented standards for model monitoring. These standards should address evaluation criteria, monitoring methods, operational changes, breach thresholds, contingency plans and escalation procedures for sharing issues with stakeholders.
5. Decommission. Decommissioning should follow a disciplined process and include, among other things, alerting all relevant stakeholders of the planned decommission and monitoring downstream effects to ensure there are no residual impacts.

Impacts on FRFI-vendor relationship

The implementation of an MRM framework establishes heightened expectations for FRFIs with respect to models and data sourced externally, including from foreign offices or third-party vendors pursuant to OSFI’s Guideline B-10 on Third-Party Risk Management. Many AI and machine learning vendors may not yet have governance, validation and reporting capabilities consistent with these requirements, particularly with respect to the complexity, autonomy and explainability challenges of AI/ML models noted in the Guideline. FRFIs may need to assess and manage residual risks from third-party model providers who do not fully meet MRM standards, and ensure such risks remain within the FRFI’s defined risk appetite. Such risks may be mitigated through documented governance processes, robust oversight, and accountability at the board and senior management levels.

Next steps and considerations for FRFIs

Beyond vendor relationships, there are a number of steps FRFIs can take to help ensure compliance with the Guideline by the time it takes effect on May 1, 2027.

Identify and address gaps

Given the increased scope of application of the new Guideline and the accelerated adoption of AI, FRFIs should evaluate their MRM governance framework and practices against OSFI’s expectations. They are advised to document relevant policies, procedures, practices, and any identified gaps or enhancement opportunities. These gaps and potential enhancements should then be triaged according to their risk and related business considerations.

Identifying models and establishing a model inventory is often a helpful first step to get a grasp on the scope of the models used within an institution. This, in turn, would inform the scope and scale of the MRM framework required.

Socialize the Guideline’s expectations

Some of the Guideline’s expectations may require a substantial effort from a governance and organizational perspective. This includes meeting OSFI’s resourcing expectations and developing an inventory of all models with non-negligible risk. Informing and engaging with the right personnel throughout an institution may be valuable from a process perspective and may help facilitate meeting the Guideline’s substantive expectations.

Alignment with other AI legal requirements and guidance

FRFIs establishing or enhancing an MRM or AI governance framework should consider the extent to which they should incorporate other legal requirements and guidance (whether proposed or in force). Existing obligations and guidance may include notice requirements with respect to automated decision-making in Québec and privacy regulator guidance on generative AI. FRFIs with a European presence will also need to ensure alignment with the EU Artificial Intelligence Act.

Outsourced model development and/or implementation

FRFIs should ensure they include procurement policies, diligence procedures and standard contractual terms in any MRM framework gap analysis. Generally, FRFIs should take care to ensure adequate contractual protections are in place, including monitoring controls, documentation and contingency plans when using external data or models, as they remain accountable for their use. In some circumstances, updates to some longer-term, higher-risk agreements may be warranted to align with OSFI expectations.

Both parties would also benefit from clear delineation of various responsibilities. In some cases, a responsibility matrix may be helpful in achieving this delineation.