ARTICLE
10 October 2025

Model Risk Management For Federally Regulated Financial Institutions

D
Dentons Canada LLP

Contributor

Dentons Canada LLP logo

Across over 80 countries, Dentons helps you grow, protect, operate and finance your organization by providing uniquely global and deeply local legal solutions. Polycentric, purpose-driven and committed to inclusion, diversity, equity and sustainability, we focus on what matters most to you.

Explore Firm Details
Lexpert Firm Profile
The Office of the Superintendent of Financial Institutions Canada (OSFI) published the final version of Guideline E-23: Model Risk Management (the Guideline) on September 11, 2025.
Canada Technology
Marisa Coggin
Your Author LinkedIn Connections
Marisa Coggin’s articles from Dentons Canada LLP are most popular:
  • in United States
Dentons Canada LLP are most popular:
  • within Finance and Banking and Wealth Management topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Accounting & Consultancy, Banking & Credit and Insurance industries

The Office of the Superintendent of Financial Institutions Canada (OSFI) published the final version of Guideline E-23: Model Risk Management (the Guideline) on September 11, 2025. The Guideline becomes effective May 1, 2027, which is nearly ten years from the date the draft Guideline was first published. Over the past decade, there have been notable advancements in, and growing use of, artificial intelligence (AI) and machine learning (ML) models by federally regulated financial institutions (FRFIs). The Guideline sets out OSFI's expectations for model risk management (MRM) in response to the increased model usage by FRFIs, including insurers, and their increased reliance on models to support or drive decision-making. As an over-arching theme, effective MRM requires participation from FRFI representatives across functions and internal departments.

Models and model risk

Models are broadly defined as applications of theoretical, empirical, judgmental assumptions or statistical techniques, including AI/ML methods, which process input data to generate results. A model has three distinct components: (i) data input component that may also include relevant assumptions, (ii) processing component that identifies relationships between inputs, and (iii) result component that presents outputs in a format that is useful and meaningful to business lines and control functions. FRFIs must therefore carefully consider the universe of tools to determine whether a given tool may constitute a "model."

Model risk assessment involves considering the risk of adverse financial impact arising from the design, development, deployment and/or use of a model. The Guideline acknowledges that residual risk may remain after institutions have implemented controls and tools to identify, measure and mitigate model risk.

The Guideline sets out three main outcomes for effective MRM, which are each described in greater detail below.

  1. Model risk is well understood and managed across the enterprise.
  2. Model risk is managed using a risk-based approach.
  3. Model governance covers the entire model lifecycle.

Understanding and managing model risk

OSFI expects senior management and model stakeholders to understand a model's intended use, inherent limitations and potential negative outcomes to their business. Model stakeholders necessarily include the model's owner, developer, reviewer and approver, as well as the FRFI's legal and compliance teams.

FRFIs should have governance requirements sufficient to manage and control model risk. Proper governance requires roles and accountabilities across the organization to be defined and ensuring appropriate resources are allocated to manage identified risks. Given the increasing complexity of advanced technologies that may be adopted by FRFIs to complete tasks, analyze risks and/or make decisions, the individuals involved in MRM should represent a wide range of expertise and functions across the organization (including legal and ethical expertise).

FRFIs are expected to establish an MRM framework which includes processes to identify, assess, manage, monitor and report on model risk. The framework should also align risk-taking activities to the FRFI's strategic objectives and risk appetite. The business objectives associated with each model's use should be assessed on a continuous basis as organizational needs change over time, and certain models may no longer be fit for purpose.

Managing model risk using a risk-based approach

FRFIs are expected to maintain an accurate and comprehensive model inventory for models which pose non-negligible risk to the organization. The minimum information requirements for the model inventory are set out in Appendix 1 of the Guideline. Model risk ratings should be assigned to each model based on the FRFI's risk rating approach. There must be a robust process associated with assigning risk ratings. Risk ratings may change throughout the model's lifecycle and require ongoing review, including when a materialevent occurs. In cases where model risk falls outside the institution's risk appetite, the institution should establish appropriate remediation actions. The risk rating approach should include both quantitative and qualitative factors. Depending on the FRFI's risk appetite and their assessment of the model's risk, limits may be placed on the model's usage and scope. Such limits should be communicated in writing to all relevant stakeholders in the organization, and the FRFI should ensure there is internal awareness and understanding in this regard.

In line with OSFI's principles-based approach, the intensity of risk management associated with a particular model should be proportional to the risk introduced by the model. Institutions should deploy models only when they meaningfully contribute to decision-making, risk assessment or business purposes and deliver reliable outcomes consistent with their intended use.

Establishing model governance over the model lifecycle

Policies, procedures and controls should cover the full model lifecycle and apply commensurate with the level of risk associated with the model in question. Key stakeholders should be identified and involved early in the model lifecycle process. Model owners are expected to clearly articulate the model's purpose and to identify the business use case. For models using AI/ML or other advanced techniques, additional risks such as potential for biased outcomes, negative social and ethical implications or privacy risks should be assessed.

Institutions should adopt robust data governance with standards for collecting, storing and accessing data used in models. Given the importance of data accuracy and integrity, OSFI expects FRFIs to regularly assess data quality, implement controls in this regard and ensure appropriate data cleansing operations. Inparticular, consideration should be given to the potential for unwanted bias within the data which can translate into unfair model outputs with associated reputational risks.To that end, institutions should consider adopting AI governance policies and ensuring appropriate training thereon.The FRFI should also ensure that the assessment of conceptual soundness and performance (e.g., whether the model is functioning as intended and is fit for purpose) is independent from the model development process.

Takeaways

The potential benefits associated with model use and adoption, including problem solving, increased efficiency and advancing business objectives must be balanced with potential adverse impacts to FRFIs from an operational, security or financial perspective. FRFIs are ultimately accountable for their use of models and are expected to assess and understand how their use of models may impact their risk profile and, by extension, their overall risk rating. It is critical for this understanding to be shared across key functions of the institution, and for effective monitoring and controls to be in place to mitigate risk. In our view, MRM should be a standing item for discussion at Board of Directors and Branch Management meetings. We also recommend ongoing monitoring of model use to proactively adjust model risk ratings, where warranted.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.

Authors
Photo of Marisa Coggin
Marisa Coggin
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More