Model Risk Governance For Financial Institutions: New Guidance For A New Era

On September 11, 2025, the Office of the Superintendent of Financial Institutions ("OSFI") released Guideline E-23 – Model Risk Management (2027) ("Guideline E-23"), which will become effective on May 1, 2027.

Guideline E-23 draws from OSFI's existing Enterprise-Wide Model Risk Management for Deposit-Taking Institutions ("DTIs") Guideline published in 2017 which applies to models used by DTIs (other than foreign bank branches). In contrast, the new Guideline E-23 will apply to all models that carry risk to the institution for both DTIs and federally regulated insurers ("FRIs"), including branches (collectively, "FRFIs"). Guideline E-23 will not apply to federally regulated pension plans.

The release of the revised Guideline E-23 and the expansion of its scope reflects OSFI's recognition that the financial services industry is experiencing a rapid rise in digitalization and model applications, amplified by the surge in artificial intelligence and machine learning ("AI/ML"). FRFIs are also increasingly relying on models to support their decision-making in areas that are not traditionally model-driven. OSFI's Guideline E-23 aims to ensure that FRFIs can manage risks inherent to the use of models (e.g., financial losses, legal exposure, and reputational harm) responsibly through the implementation of effective, enterprise-wide model risk management ("MRM") practices.

Guideline E-23 outlines three expected outcomes of effective MRM:

1. Model risk is well understood and managed across the enterprise

Effective MRM requires senior management to be responsible for defining clear roles, accountabilities and expectations for MRM across the institution. Senior management should ensure that qualified personnel with the necessary skillsets are in place and establish clear reporting and communication channels to inform the board of directors about model risk. Guideline E-23 emphasizes the importance of a multidisciplinary approach to MRM, including collaborating among various areas of expertise within the organization, and, when appropriate, involving legal and ethical professionals.

The MRM framework should align with the FRFI's risk appetite and be integrated into the broader risk and governance framework, as outlined in OSFI's Corporate Governance Guideline. Where models are sourced externally, such as from foreign offices or third party vendors, FRFIs should apply OSFI's Guideline B-10 Third-Party Risk Management Guideline to ensure proper oversight and accountability.

2. Model risk is managed using a risk-based approach

Guideline E-23 adopts a risk-based approach, such that OSFI's expectations are scaled according to the FRFI's size, strategy, risk profile, nature, complexity, and level of interconnectedness.

OSFI outlines 3 main components of a risk-based approach to MRM:

1. Model Identification & Inventory – FRFIs must maintain a comprehensive list of models with non-negligible inherent risk. Institutions should have a defined process to periodically identify and track all models that are in use or recently decommissioned.

2. Model risk rating – Each model should be assigned a model risk rating based on its inherent risk determined by qualitative and quantitative criteria. Models that carry negligible inherent risk may be exempt from the full model lifecycle governance requirements. Externally developed models should be assessed for model risk ratings on a standalone basis.

3. Risk Management Intensity – The scope, scale, and intensity of MRM should be commensurate with the model's inherent risk rating. This risk rating should guide the frequency and intensity of model reviews and monitoring, the extent of documentation, the level of authority required to approve the model, the limitations on model usage, and the controls required to mitigate residual model risk.

3. Model governance covers the entire model lifecycle

FRFIs are expected to manage model risk throughout the entire lifecycle of a model, from its design and development through deployment, monitoring, and eventual decommissioning.

• Model design and rationale: Each model should have a clear rationale and defined business purpose. For models using AI/ML, additional considerations include transparency and explainability requirements, the need for alternative controls, and the potential for biased outcomes, negative social and ethical implications, and privacy risks.
• Model data: FRFIs should establish standards for the collection, storage, and access of model data to ensure it is accurate, relevant, representative, compliant, and traceable, noting that the consequences of flawed data can be significant, especially for AI/ML models.
• Model development, review, approval, and deployment: FRFIs should set practice standards for model documentation, the use of expert judgment, developer testing, model explainability, model performance, and how model outputs are used and reported. Independent model reviews should also be conducted to verify that the models perform as intended and remain fit-for-purpose. At a minimum, approvals should be obtained 1) before the implementation of a model change, and 2) following periodic reviews. Models should be deployed in an environment with quality and change control processes, especially AI/ML models that may depend on multiple components, diverse and dynamic data sources, and third-party elements.
• Model monitoring and decommissioning: Models should be subject to continuous monitoring to ensure they remain fit-for-purpose and to detect performance issues or breaches. Models that are no longer fit-for-use should be decommissioned through a structured process that includes notifying relevant stakeholders, retaining of the retired model for benchmark or fallback, monitoring downstream effects to minimize residual impact, and determining additional actions required for third party models.

AMF – Model Risk Management Guideline in Quebec

In Quebec, the Autorité des marchés financiers ("AMF") published the Model Risk Management Guideline in June 2025 (with immediate effect) which applies to authorized insurers, financial services cooperatives, authorized trust companies and other authorized deposit institutions.

The AMF guideline is largely aligned with Guideline E-23, particularly regarding governance, model lifecycle management, and a proportional application of controls based on model complexity. However, OSFI goes further by explicitly addressing AI/ML models and detailing its expectations around multi-disciplinary teams and evidence of compliance. Insurers subject to both guidelines will need to compare the requirements and adhere to the stricter standard to ensure full compliance.

Key Takeaways

Guideline E-23 recognizes that models, especially those powered by AI/ML, can offer significant benefits but also pose substantial risks if not properly managed.

FRFIs should begin preparing for Guideline E-23's implementation by reviewing their current model inventories, governance structures, and validation practices. Going forward, OSFI expects institutions to demonstrate that they understand the risks that their models pose, that they have implemented controls proportionate to those risks, and that their governance frameworks support transparency, explainability, and ethical model use.

This will be especially important for FRIs who were not previously subject to specific model risk guidance, even though their use of models to, for instance, assess the impact of uncertain events, has long been key to an FRI's success.

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2025