OSFI E-23 Checklist: Find Your Compliance Gaps Before May 2027

Most model risk teams already have a governance program. The question Guideline E-23 forces is whether that program can prove itself. Published by the Office of the Superintendent of Financial Institutions (OSFI), E-23 takes effect May 1, 2027, and it applies to every federally regulated financial institution in Canada, including insurers and branches. It covers all models with more than negligible risk, whether built in-house or sourced from a vendor, and it expressly includes AI and machine learning.
The hard part is not knowing E-23 exists. It is knowing exactly where your organization falls short of it, and doing that before a supervisor does it for you. That is what our free E-23 Model Risk and AI Governance Compliance Checklist is built to surface.
What the checklist covers
The checklist walks through five areas that mirror the structure of the guideline:
- Governance across the lifecycle, including accountability, human oversight, and independent validation at every stage
- Risk-based tiering, so controls scale to each model’s risk
- Enterprise-wide oversight, including aggregate risk exposure and board reporting
- Model inventory, a single current source of truth across in-house, vendor, and third-party models
- Data and model risk integration, aligning data governance with model governance
Each section pairs quick business checks with deeper technical checks mapped to the specific E-23 principles, and flags the roles responsible for each area, so it is easy to circulate across teams. No single person answers everything; your organization collectively should be able to answer yes to all of it. Every no is a gap worth closing while there is still time.
Get the checklist
Download the E-23 Model Risk and AI Governance Compliance Checklist to find your gaps section by section. If you want to go deeper on how to sequence the work ahead of the deadline, see our guide to E-23 compliance strategies.
Ready to talk E-23 strategy? Learn more at validmind.com.



