OSFI Releases Final Guideline E-23 for Model Risk Management and AI Use by Federally Regulated Financial Institutions

On September 11, 2025, as part of its quarterly release of regulatory changes, the Office of the Superintendent of Financial Institutions Canada (OSFI) published its final version of Guideline E-23 Model Risk Management 2027 (Final Guideline). The Final Guideline, which will take effect on May 1, 2027, addresses emerging technology risks and imposes risk management requirements on the use of artificial intelligence (AI) models in federally regulated financial institutions (FRFIs).

The Final Guideline comes after a series of public consultations and discussions with key stakeholders following the publication of a draft guideline in 2024 (Draft Guideline). See our previous Blakes Bulletin on this topic for an overview of the Draft Guideline. FRFIs subject to the Final Guideline include banks, foreign bank branches, life insurance and fraternal companies, property and casualty companies, and trust and loan companies.

Unlike the Draft Guideline, which had originally included federally regulated pension plans (FRPPs) as in scope, the Final Guideline excludes FRPPs. However, OSFI expects that plan administrators will follow the Canadian Association of Pension Supervisory Authorities' Guideline No. 10: Guideline for Risk Management for Plan Administrators to address pension risk management, including through the use of AI models.

The Final Guideline sets out OSFI's expectations for enterprise-wide model risk management (MRM) frameworks. To effectively assess model risks, organizations should establish a multi-disciplinary team representing a wide range of expertise and functions from across the organization, including legal and ethics professionals.

The MRM requires FRFIs to develop risk-based policies and procedures for model use that are proportional to their size, risk profile, complexity of operations and interconnectedness in the financial system. These policies and procedures should be situated within an organization's broader governance framework. Notably, the MRM requires FRFIs to (among other things):

• Define the processes and requirements to identify, assess, manage and monitor model risk
• Establish methods for tracking model usage and decommissioning models that are no longer used
• Develop clear policies and procedures for the major components of the MRM framework, such as model identification, model inventory, model risk ratings and requirements for model lifecycle governance
• Establish model risk reporting and review standards
• Include models or data sourced from external sources like foreign offices or third-party vendors, pursuant to OSFI Guideline B-10 Third-Party Risk Management Guideline
• Create a model inventory that keeps a record of all models, including their model risk rating

As part of the MRM, organizations are required to develop a model risk rating scale based on quantitative and qualitative requirements. The model risk rating will dictate:

• Frequency, intensity and scope of model review
• Documentation requirements
• Level of authority required to approve the model and any exemptions, as needed
• Frequency, intensity and scope of model monitoring
• Interval at which the risk rating is re-assessed
• Limits or constraints on model usage and safeguards
• Necessary controls and mitigants for model risk

Consistent with OSFI's focus on risk-based regulation, the Final Guideline recognizes that FRFIs increasingly rely on models that use diverse data sources and complex modeling to drive decision-making, which could expose FRFIs to financial loss from flawed decision-making, operational losses and reputational damage - potentially leading to knock-on effects in the broader financial system. By introducing a principles-based framework that is intended to strengthen governance and oversight of models and that is technology agnostic, the Final Guideline aims to allow FRFIs to innovate while maintaining sound risk management practices to safeguard against potential harms associated with model failures or misuse.

It is evident from the Final Guideline that a static compliance program will not satisfy OSFI's expectations for model risk mitigation under the MRM. Rather, organizations must demonstrate a commitment to ongoing testing, monitoring and review throughout the entire model lifecycle. In practice, this will require that FRFIs adapt their governance frameworks, establish AI policies and procedures and expand the scope of compliance programs. Additionally, FRFIs will need to assess their approach to managing third-party relationships to improve disclosure and data management practices to avoid incurring AI-related risk.

OSFI's Final Guideline is likely welcome for FRFIs who have little formal direction on implementing AI, particularly after Bill C-27 (which included the proposed Artificial Intelligence and Data Act) died on the order paper before the 2025 federal election. Currently, only Quebec's private sector privacy law expressly addresses automated decision-making by requiring organizations to be transparent about decisions made using personal information without human intervention. No other Canadian government has enacted rules governing AI in the private sector.

However, additional regulatory requirements will likely be imposed on FRFIs with respect to AI in the coming years. In May 2025, OSFI, the Department of Finance Canada and the Global Risk Institute (GRI) held the first of four workshops as part of the second Financial Industry Forum on Artificial Intelligence (FIFAI II). In July 2025, OSFI released a report on AI best practices for FRFIs to mitigate cybersecurity and security risks. Subsequent workshops in FIFAI II will focus on the nexus between AI and financial crime, consumer protection and financial stability.

For further information, please do not hesitate to reach out to the authors, or any other member of the Financial Services or Technology group.

Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.

For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2025 Blake, Cassels & Graydon LLP