On July 3, 2025, the Autorité des marchés financiers (AMF) released draft guidelines on the use of artificial intelligence (AI) in the financial sector. This Québec initiative is part of a broader global trend toward proactive regulation of emerging technologies. The draft guidelines are open for public consultation, and stakeholders are invited to submit comments by November 7, 2025.
The proposed guidelines set out specific and operational expectations for risk management, governance and the fair treatment of clients in the use of artificial intelligence systems (AIS).
The AMF defines an AIS as:
"a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different AISs vary in their levels of autonomy and adaptiveness after deployment."
This guideline will apply to financial institutions, including licensed insurers, financial services cooperatives, licensed trust companies and deposit-taking institutions. The AMF specifies that expectations will be proportionate to the institution's nature, size and complexity, as well as the risk rating assigned to each AIS.
Risk assessment: Risk-based classification
Each institution will be expected to assess the risk level of every AIS it uses and assign it a corresponding rating. This rating will determine the policies, processes, and procedures applied throughout the system's lifecycle, including governance, risk management and client protection.
Where information is incomplete, a provisional risk rating—based on a conservative approach—must be assigned and later updated when sufficient data becomes available.
Risk assessments should consider:
- Technical characteristics (e.g., dynamic calibration, unstructured data, open-source code)
- Data quality and sources (primary, secondary, synthetic)
- Existing controls (bias mitigation, conflict-of-interest prevention, model drift detection)
- Institution's exposure (number of affected clients, decision criticality, third-party dependencies)
Financial institutions must periodically review these ratings and adjust policies and controls accordingly.
AIS lifecycle management
The AMF reminds institutions that each AIS follows a distinct lifecycle, from initial design to eventual decommissioning.
Financial institutions will be required to establish processes covering all phases of this lifecycle. These processes and controls must be developed, documented, approved and implemented in proportion to the AIS's risk rating. The higher the risk, the more stringent the monitoring, validation and improvement requirements. Additional restrictions will apply to high-risk systems or those lacking certain critical data.
Ongoing supervision is also mandatory. Institutions must monitor both the performance of the AIS and the quality of its outputs—detecting and addressing bias, errors, conflicts of interest or intellectual property issues. This oversight must combine technological tools with human judgment, especially for the most critical systems.
Governance: Accountability, competence and oversight
The AMF underscores the need for structured governance and clear accountability throughout the AIS lifecycle. Financial institutions must clearly define the roles and responsibilities of all stakeholders and ensure they possess adequate competence in AI, risk management and organizational ethics.
Each AIS must be overseen by a designated owner who reports to a member of senior management formally accountable for all AIS within the institution. Design and procurement teams must combine a strong understanding of business needs with technical expertise in AI. Users and business line managers must be fully aware of the systems' operational limitations and applicable restrictions.
The guidelines will also set specific responsibilities for the board of directors, senior management, the risk management function and the internal audit function.
Managing risks associated with AI
The guidelines require financial institutions to implement a risk management framework tailored to the use of AIS. This framework must reflect the institution's nature, size, complexity and overall risk profile, as well as the specific risk rating assigned to each AIS.
Policies, processes and procedures must be reviewed regularly at a frequency that matches the rapid evolution of AI technologies, following the criteria set out in the guidelines.
The AMF also expects each institution to maintain a centralized, up-to-date register of all AIS in use, detailing their management, monitoring and decision-making processes.
To ensure consistent and transparent oversight, institutions should establish monitoring mechanisms that enable periodic assessments of AI-related risks. The results of these assessments must be communicated to relevant stakeholders, including senior management.
Fair treatment of clients: At the heart of expectations
The guidelines reaffirm the application of fair treatment principles to AIS and introduce additional, AI-specific requirements:
- Institutions must ensure their code of ethics explicitly addresses AIS use, upholding high ethical standards and respect for client rights.
- Risks of discrimination must be actively monitored. Institutions must identify prohibited factors or proxy variables, promptly address any problematic AIS and document all changes. Follow-up reports should be submitted to senior management in accordance with the risk level.
- Any biases detected in decisions must be corrected and documented, with particular attention to the groups affected.
- Data quality—especially for secondary data—must undergo rigorous controls. When public data is collected through web harvesting, clients must be informed of any resulting limitations.
The AMF also stresses the importance of clear, transparent communication with clients. When an AIS uses personal information, institutions must obtain consent. Clients must be informed when they are interacting with an automated system, such as a chatbot, and—upon request—must have access to a human representative. Any decision made or assisted by an AIS must be explained in simple, understandable terms1
Implementation and next steps
Stakeholders have until November 7, 2025, to submit comments, which will be made public unless confidentiality is requested.
Footnote
1 We note in particular the application of the Act respecting the protection of personal information in the private sector, RLRQ c P-39.1, which adds to these considerations.
About Dentons
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.
