On September 11, 2025, the Office of the Superintendent of Financial Institutions Canada (“OSFI”), the independent agency that regulates banks, insurance companies, trust companies, loan companies and pension plans in Canada, published Guideline E-23 – Model Risk Management (2027)(the “Guideline”). The Guideline uses a principles-based approach to set out OSFI’s expectations for federally regulated financial institutions’ enterprise-wide Model risk management. The Guideline defines a “Model” as an application of theoretical, empirical, judgmental assumptions or statistical techniques, including artificial intelligence (“AI”) or machine learning methods, which process input data to generate results. The Guideline will come into effect on May 1, 2027.
The Guideline was developed in response to the increased use of AI and machine learning tools in the financial services industry. It is critical that federally regulated financial institutions are cognizant of how the use of Models can impact their risk profile. An increased risk profile resulting from the use of Models could lead to financial loss, biased decision making and reputational damage to a financial institution. To mitigate this risk, federally regulated financial institutions should put in place a robust Model risk management framework, as outlined in the Guideline, to govern the use of AI and machine learning by the institution so that it aligns with the institution’s risk appetite.
The Guideline applies to all federally regulated financial institutions, including foreign bank branches and foreign insurance company branches to the extent it is consistent with other requirements and legal obligations as set out in OSFI’s Guideline E-4 on Foreign Entities Operating in Canada on a Branch Basis. Below is a high-level overview of OSFI’s expectations of federally regulated financial institutions on how they can effectively use Models and mitigate the resulting risk per the requirements set out in the Guideline.
Enterprise-wide Model Risk Management
The Guideline sets out…
The Privacy Paradox: Why Organizations Are Betting Big on Data Protection in the AI Era
Our analysis of Cisco’s 2025 Data Privacy Benchmark Study revealing the complex interplay …
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
