AI Regulation Tracker / Regulation effective soon
Canada's OSFI E-23 puts every AI/ML model at a regulated bank or insurer under model-risk rules by May 2027
OSFI's finalized Guideline E-23 extends enterprise-wide model risk management to all AI and machine-learning models at federally regulated financial institutions, not just the models used for regulatory approval. Institutions have until May 1, 2027 to comply.
Canada's banking and insurance regulator has closed the gap between how firms govern their capital models and how they govern everything else that now runs on artificial intelligence. On September 11, 2025, the Office of the Superintendent of Financial Institutions finalized Guideline E-23, Model Risk Management, in a 2027 version that takes effect on May 1, 2027. The headline change is scope. E-23 now reaches every AI and machine-learning model a federally regulated financial institution uses, not only the models submitted for regulatory approval.
What OSFI actually changed
Earlier model risk expectations centered on the models that feed capital, provisioning, and regulatory reporting. The finalized E-23 widens the frame. OSFI writes that institutions are "increasingly relying on models to support or drive decision-making" and that "models now use more diverse data sources and complex techniques," including artificial intelligence and machine-learning models. The guideline sets a single enterprise-wide framework for identifying, assessing, and controlling model risk across the full population of a firm's models.
That means a fraud-detection classifier, an underwriting score, a customer-churn model, or a marketing propensity engine can now sit inside the same governance perimeter as a credit-risk model. The obligation is not limited to models that touch a regulatory filing. For many institutions this is the substantive shift. Machine-learning tools that grew up inside product, operations, or marketing teams, often outside the formal model risk function, now have to be found, catalogued, and brought under the same discipline as the models the risk department already tracks.
E-23 also names steps that are distinctive to modern AI work. It reaches the training and parameter-optimization stage, the quality and lineage of the data used to build a model, and the documentation that has to follow a model from design through to decommissioning. These are the points where machine-learning models tend to drift or fail quietly, and OSFI expects institutions to have controls and evidence at each one.
Risk-based, not one-size-fits-all
E-23 is a guideline, which makes it a supervisory expectation rather than a statute. OSFI applies it proportionally. The guideline states that requirements are "proportional to the institution's size, strategy, risk profile, nature, scope, and complexity of operations." A low-stakes internal model does not carry the same validation burden as a model that drives lending or pricing decisions. Firms are expected to tier their models by risk and match the depth of controls to each tier.
The duties themselves are familiar to anyone who has run a model risk program. They span the model lifecycle: data governance and data quality, model development and the training or parameter-optimization step, independent validation, ongoing performance monitoring, and lifecycle documentation from design through decommissioning. What is new is that AI and machine-learning models are explicitly named as in scope, and that the framework is meant to cover the whole enterprise.
Who has to move
The guideline applies to all federally regulated financial institutions. OSFI states it "applies to all federally regulated financial institutions, including foreign bank branches and foreign insurance company branches," and lists banks, life insurers, fraternal and property-and-casualty companies, and trust and loan companies. Provincially regulated credit unions and firms outside OSFI's mandate are not directly bound, though many watch OSFI guidance as a benchmark.
What it does not do
E-23 does not ban any AI technique, mandate a specific tool, or require pre-approval of individual models before deployment. It does not set a numerical accuracy or bias threshold. It is a governance framework, not a product rule. It tells institutions to know their models, control them according to risk, and be able to show their work. The compliance runway to May 1, 2027 is real time, but the practical task, a complete and current model inventory, is where most firms will find gaps.
For a US reader, the lineage is recognizable. E-23 sits in the same family as the Federal Reserve and OCC's SR 11-7 model risk guidance and parallels the risk-based supervisory approach taken by Australia's APRA. A US bank or insurer that operates a Canadian federally regulated entity cannot treat this as someone else's problem. It will need to extend model risk governance to all the AI and machine-learning models running inside that Canadian operation, on OSFI's timeline.
Frequently Asked Questions
What changed with OSFI Guideline E-23?
OSFI finalized the 2027 version of Guideline E-23 on September 11, 2025. It applies an enterprise-wide, risk-based model risk management framework to every AI and machine-learning model at a federally regulated financial institution, not just models used for regulatory approval. It takes effect May 1, 2027.
Who does E-23 apply to?
All federally regulated financial institutions in Canada, including banks, life and property-and-casualty insurers, fraternal companies, trust and loan companies, and foreign bank and insurance company branches. Canadian subsidiaries and branches of foreign banks and insurers are covered.
Is E-23 a binding law?
No. It is an OSFI guideline, meaning a supervisory expectation rather than a statute. OSFI supervises against it and applies it proportionally to each institution's size, complexity, and risk profile. Non-compliance is a supervisory matter, not a criminal or civil penalty.
What should a firm do before May 1, 2027?
Build a complete model inventory that captures every AI and machine-learning model, tier those models by risk, and put lifecycle controls in place covering data governance, training and validation, ongoing monitoring, and documentation for each model according to its risk level.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.