ARTICLE
6 November 2025

OSFI's New Guideline For Artificial Intelligence And Machine Learning Management

TM
Torkin Manes LLP

Contributor

Torkin Manes LLP logo
Torkin Manes LLP is a full service, mid-sized law firm based in downtown Toronto. Our clientele ranges from public and private corporations, to financial institutions, to professional practices, to individuals. We have built our firm from the ground up—by understanding our clients’ business needs, being results-oriented, practical, smart, cost-effective and responsive.
Explore Firm Details
Lexpert Firm Profile
On September 11, 2025, the Office of the Superintendent of Financial Institutions Canada ("OSFI"), the independent agency that regulates banks, insurance companies, trust companies...
Canada Technology
Lisa R. Lifshitz and Laura Crimi
Your Author LinkedIn Connections
Torkin Manes LLP are most popular:
  • within Law Department Performance topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Banking & Credit, Healthcare and Property industries

On September 11, 2025, the Office of the Superintendent of Financial Institutions Canada ("OSFI"), the independent agency that regulates banks, insurance companies, trust companies, loan companies and pension plans in Canada, published Guideline E-23 - Model Risk Management (2027)(the "Guideline"). The Guideline uses a principles-based approach to set out OSFI's expectations for federally regulated financial institutions' enterprise-wide Model risk management. The Guideline defines a "Model" as an application of theoretical, empirical, judgmental assumptions or statistical techniques, including artificial intelligence ("AI") or machine learning methods, which process input data to generate results. The Guideline will come into effect on May 1, 2027.

The Guideline was developed in response to the increased use of AI and machine learning tools in the financial services industry. It is critical that federally regulated financial institutions are cognizant of how the use of Models can impact their risk profile. An increased risk profile resulting from the use of Models could lead to financial loss, biased decision making and reputational damage to a financial institution. To mitigate this risk, federally regulated financial institutions should put in place a robust Model risk management framework, as outlined in the Guideline, to govern the use of AI and machine learning by the institution so that it aligns with the institution's risk appetite.

The Guideline applies to all federally regulated financial institutions, including foreign bank branches and foreign insurance company branches to the extent it is consistent with other requirements and legal obligations as set out in OSFI's Guideline E-4 on Foreign Entities Operating in Canada on a Branch Basis. Below is a high-level overview of OSFI's expectations of federally regulated financial institutions on how they can effectively use Models and mitigate the resulting risk per the requirements set out in the Guideline.

Enterprise-wide Model Risk Management

The Guideline sets out a list of criteria that federally regulated institutions should use to develop an enterprise-wide Model risk management framework. To comply with the Guideline, institutions must form multi-disciplinary teams to assess and manage Model risks effectively. The policies and procedures developed must be risk-based and proportionate to each institution's strategic objectives and risk appetite. The Guideline provides key elements of a Model risk management framework, which requires federally regulated financial institutions to:

  • Define the processes and requirements to identify, assess, manage, monitor and report on Model risk;
  • Develop clear guidelines for the major components, such as: Model identification, Model inventory, Model risk ratings, and requirements for Model lifecycle governance;
  • Define how an institution provides transparent and consistent reporting of Model risk at different levels of the enterprise;
  • Conduct periodic reviews of the Model risk framework, especially as new technologies emerge; and
  • Assess both Models and data sourced from external sources by the institution, including foreign office or third-party vendors (pursuant to OSFI's Guideline B-10 Third-Party Risk Management Guideline).

An effective Model risk management framework will assist federally regulated financial institutions in safely adopting and using Models to advance business goals.

Risk-based Approach to Model Risk Management

Utilizing a risk-based approach to Model risk management ensures that any requirements that a federally regulated financial institution places on a Model are proportionate to the institution's risk appetite. Institutions should identify and track all Models in use or recently decommissioned, including vendor and third-party Models. An institution's Model risk rating approach should assess key dimensions of a Model's risk, including vulnerabilities and materiality of the impact of a Model. The risk-rating approach used by the institution should be supported by clear criteria for each risk dimension, incorporating both qualitative factors (e.g., business use, level of autonomy and reliability of data) and quantitative factors (e.g., size and growth of the portfolio the Model, and operational, security or financial impacts). The processes created to track Model risk should include:

  • Identification of new Models and updating the status of existing Models;
  • Identification of whether a Model has non-negligible risk and if it should be subject to lifecycle governance requirements;
  • Assignment of a rating to new Models or updating an existing Model's risk rating where it has materially changed in substance or usage; and
  • Storing in an institution's inventory all Models deemed to carry non-negligible inherent Model Risk.

Federally regulated institutions should keep a comprehensive inventory of Models whose inherent risk is determined to be non-negligible. If, based on the application of the risk Model framework, a Model falls outside of the institution's risk appetite, the institution should remediate, for example by ceasing use of the Model.

Model Lifecycle Management

Federally regulated institutions should also ensure that its Model governance framework continually monitors Models and covers the entire lifecycle of a Model, including the design, data acquisition, development and deployment stages. For example, during the development stage, it is critical that an institution use suitable data that is appropriate for the intended use of the Model. An anticipated consequence of using flawed data in the development of a Model is the generation of biased data outputs, which may have a potential to result in discrimination. Institutions should also manage the lifecycle of a Model by regularly performing data quality checks, implementing controls to ensure quality of data, use and implement controls to ensure appropriate data cleansing operations are maintained by the Model.

Overall, the Guideline provides a welcome direction for federally regulated financial institutions on how to implement a dynamic framework to govern the use of AI and machine learning models using a risk-based approach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Lisa R. Lifshitz
Lisa R. Lifshitz
Photo of Laura Crimi
Laura Crimi
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More