Globally, attempts at AI governance continue to evolve:
- On September 26, 2025, Canada’s federal government announced the launch of a new AI Strategy Task Force, whose preliminary recommendations are expected to be released later this month and are expected to inform Canada’s anticipated federal AI legislation.
- South of the border, California became the first U.S. state to enact a comprehensive suite of AI laws, which will govern a wide range of issues, including automated decision-making, privacy, transparency, and AI safety.
- Internationally, the G7 Cyber Expert Group released a statement on AI and Cybersecurity, noting the dual role of AI in the financial sector and the need for coordination between financial authorities, institutions, academics, and technology developers to ensure the industry’s readiness for AI-driven security incidents.
One of the latest efforts by Canadian regulators to respond to AI risks and opportunities and fill Canada’s current legislative gap with respect to AI guardrails is the Office of the Superintendent of Financial Institutions’ (OSFI) much-anticipated updates to Guideline E-23 (the Guideline). The Guideline will come into force on May 1, 2027, and addresses the increased use of artificial intelligence and machine learning models by federally regulated financial institutions (FRFIs).
Below, we provide an overview of the Guideline’s new risk management requirements and provide some key considerations for FRFIs to help ensure compliance with the Guideline by the time it takes effect.
Background
The Guideline was introduced following a series of public consultations and discussions with key stakeholders, following the publication of a draft guideline in 2024. The most significant change to the Guideline is its expanded scope with respect to both the entities and models governed, as well as the model risks it aims to regulate. For example, the Guideline will apply to:
- all FRFIs, including banks, foreign bank branches, property and casualty companies, trust and loan companies, and life insurance and fraternal companies;
- all models (regardless of their purpose or the significance of their risk); and
- third parties (e.g., where an FRFI engages a service provider to develop a model externally).
New expectations
In addition to its expansion of scope, the Guideline primarily formalizes OSFI’s expectations for enterprise-wide model risk management (MRM) frameworks. Specifically, OSFI will expect FRFIs to:
- Establish an MRM framework that includes:
- Risk assessment: each model’s risk must be assessed with a focus on model vulnerabilities and the materiality of model impacts.
- Risk management: the scope, scale and intensity of model governance requirements and risk mitigants should be informed by a model’s inherent risk.
- Model identification: processes must be in place to identify and create an inventory of models used throughout the organization.
- Implement policies, procedures and controls that cover the full model lifecycle, such as model identification, model inventory, model risk ratings, and requirements for model lifecycle governance. Other highlights of such expectations include:
- Model design: model design should include the rationale for modelling (e.g.., the model’s purpose and specific business use case), measures to ensure the preservation of data quality (e.g., data should be accurate, fit for use, traceable and relevant), and development processes that set clear standards for performance and documentation.
- Review and approval: a process must be in place to independently assess the performance and conceptual soundness of models, including whether models are working as intended and fit for their intended purpose.
- Deployment: models must be properly configured, tested, and deployed in an environment involving quality and change control processes.
- Monitoring: documented standards for model monitoring must be in place that address matters including evaluation criteria, monitoring measures, and escalation procedures for sharing issues with stakeholders.
- Decommission: when a model is decommissioned, a process must be in place to alert relevant parties of such decommissioning and to monitor any future effects of same.
- Allocate appropriate resources to model risk management and ensure they are able to provide evidence that those resources are sufficient to support a sound governance framework.
Key takeaways for FRFIs
- While AI capabilities offer significant opportunities to enhance the operational, analytical, and risk management capabilities of financial institutions and authorities, AI uptake by malicious actors as well as the increasing complexity of AI systems introduce novel cybersecurity risks.
- To effectively assess model risks, FRFIs should establish a multi-disciplinary team representing a wide range of expertise and functions from across the organization, including legal and ethics professionals.
- While the Guideline does not come into effect until early 2027, FRFIs should begin socializing the Guideline’s new requirements as many of OSFI’s expectations may require a substantial effort from an AI governance perspective.
- FRFIs must develop risk-based policies and procedures for model use that are proportional to their size, risk profile, complexity of operations, and interconnectedness in the financial system. These policies and procedures should be situated within an organization’s broader governance framework.
- FRFIs must include models or data sourced from external sources like foreign offices or third-party vendors, pursuant to OSFI Guideline B-10 Third-Party Risk Management Guideline. This is particularly crucial as many AI vendors may not yet have validation and reporting capabilities consistent with these requirements. Accordingly, FRFIs must assess and manage risks from third-party model vendors who do not meet MRM standards. This can be achieved through robust oversight, documented governance processes, and the negotiation of vendor contracts.
- While we await a new federal AI law, FRFIs should continue to monitor AI legislative developments that may apply to them while developing any MRM or AI governance frameworks to ensure they align with any proposed laws. FRFIs should take note of international AI requirements, such as the EU Artificial Intelligence Act, which will apply to FRFIs with a European presence.
For more information, please reach out to any of the key contacts listed below.
