What E-23 Means for AI & Model Risk Management in Canada

Artificial intelligence is transforming the global financial landscape, yet trust in AI remains tenuous. In Canada, only 32% of people express trust in AI, lagging behind the global average (39%) and the U.S. (40%). Meanwhile, the stakes are rising: studies suggest that generative AI could lift Canada’s productivity by as much as 6% over the next decade, offering a critical boost to competitiveness and growth.

| Get the technical guide: OSFI’s Guideline E-23 and Model Risk Management in Canada

In this context, strong, thoughtful governance is essential. Without clear, credible guardrails, innovation risks stalling under the weight of public skepticism, regulatory uncertainty, and operational risk. 

Recognizing the urgency, the Office of the Superintendent of Financial Institutions (OSFI) has released a major update to its model risk management (MRM) expectations for federally regulated financial institutions. Guideline E-23 significantly broadens the scope of model governance, explicitly addressing emerging risks from AI and other complex technologies. 

Done right, compliance with E-23 can become a catalyst for innovation, scalability, and market leadership. But the new demands are substantial. Without a proactive, strategic response, firms risk validation bottlenecks, operational slowdowns, and missed opportunities—consequences that could ripple through their balance sheets and Canada’s broader economic ambitions. 

This technical guide is designed to help financial institutions understand this guidance and build future-proof AI Governance and MRM playbooks. After breaking down the seven principles in practical terms, we explore four key leadership actions that capture the essence of OSFI’s guidance and are already delivering tangible value in leading Canadian financial institutions: 

• Centralize: Build a unified, enterprise-wide approach to model governance. 
• Standardize: Create consistent frameworks that scale with complexity and risk. 
• Communicate: Elevate model risk as a strategic priority across the organization. 
• Automate: Leverage technology to enhance oversight, efficiency, and resilience.

An Overview of E-23

Guideline E-23 applies to all Federally Regulated Financial Institutions (FRFIs), including banks, deposit-taking institutions, federally regulated insurers, and federal private pension plans (FRPPs). The guidelines set out the OSFI’s MRM expectations across these institutions, that is, the discipline of identifying, assessing, and mitigating the risks that arise from using models in decision-making. While relevant across many sectors, MRM is especially critical in financial services, where models are deeply embedded in core activities such as credit approval, trading, capital adequacy, and risk forecasting. In this context, weak model governance can result in material financial loss, regulatory non-compliance, and reputational damage. 

The guidance covers models used for financial (e.g., credit, market, and insurance liabilities) and non-financial risks (e.g., climate risk, cyber risk, and other decision-support tools). OSFI explicitly includes AI in its definition of a model, describing it as: 

“The application of theoretical, empirical, judgmental assumptions and/or statistical techniques, including AI/ML methods, which process input data to generate results.”

E-23 Timelines 

OSFI’s consultation on the draft of Guideline E-23 closed in March 2024. FRFIs are expected to be in compliance — or demonstrably progressing toward it — by July 1, 2025. 

Regulatory Trajectory 

E-23 constitutes formal supervisory guidance and is a key part of OSFI’s risk oversight toolkit. Institutions must demonstrate alignment with E-23 as part of sound risk management practice. Failure to do so may trigger supervisory action, including open findings, enhanced monitoring, and potential capital adequacy adjustments under Pillar 2. Inadequate model governance, particularly for AI/ML, may also affect an institution’s ability to justify its overall risk posture to OSFI, undermining confidence in its internal control environment. 

This supervisory approach is consistent with OSFI’s application of other non-binding guidelines, such as B-10 (Third-Party Risk Management) and E-21 (Operational Resilience), where institutions have faced intensified scrutiny, mandated remediation, or capital overlays for failing to meet expectations.

Download the full technical brief to unpack: 

• 7 principles for model risk management
• A structural blueprint to go from principle to practice
• How to turn obligation into opportunity
• Case study: One bank’s journey to compliance