New Guidance For AI Models In The Financial Sector Take Effect In May 2027

On September 11, 2025, the Office of the Superintendent of Financial Institutions (OSFI) released its amendments to Guideline E-23 on Model Risk Management (the New Guideline). The New Guideline sets out OSFI’s expectations concerning model risk management (MRM) by federally regulated financial institutions (FRFIs) which, after an eighteen-month transition period, will be effective as of May 1, 2027.

The New Guideline significantly broadened the definition of “models” covered by the guideline and specifically refers to models that include artificial intelligence or machine learning. The prior version of Guideline E-23 only captured models that generate quantitative estimates, but the New Guideline applies to any model that “processes input data to generate results”. As a result, the New Guideline will encompass any models used by an FRFI, such as those used for administrative or HR purposes, not just financial models.

The New Guideline similarly broadened the scope of organizations subject to its expectations to include all FRFIs. The prior version of Guideline E-23 applied only to deposit-taking institutions. Notably, federally regulated pension plans are excluded from the scope of the New Guideline as alternative industry guidance addressing risk management is already available.

The New Guideline sets out three expected outcomes that FRFIs should achieve by complying with the guideline:

1. Model risk is well understood and managed across the enterprise
2. Model risk is managed using a risk-based approach
3. Model governance covers the entire model lifecycle

These outcomes should be achieved through the establishment of an enterprise-wide MRM framework that reflects the FRFI’s appetite for risk, assigns responsibilities to senior management, and allocates adequate resources to manage, mitigate, or accept those risks as appropriate. The MRM framework should establish an approach to rating model risk using clear, measurable criteria including both quantitative and qualitative factors that will apply to an inventory of all in-use and recently-decommissioned models that the FRFIs are expected to maintain and update. The MRM framework should also establish the scope, scale, and intensity of the monitoring, documentation, and approval requirements based on the model risk rating.

The New Guideline sets out expectations for FRFIs at each of nine identified stages of a model lifecycle: model design, model rationale, model data, model development, model review, model approval, model deployment, model monitoring, and model decommission.

Summary By: Richard Austin and Amy Ariganello