A Model Risk Management Overview of E-23 Compliance Strategies

E-23, the model risk management (MRM) guideline issued by Canada’s Office of the Superintendent of Financial Institutions (OSFI), has been the standard for governing models since 2017. Initially focused on banking, it has been expanded to reflect the current AI-driven financial landscape. 

In September 2025, OSFI released the final version of E-23, set to take effect in May 2027, giving institutions an 18 month window to adapt to the regulation. The update now applies to all federally regulated financial institutions (excluding pension plans), and has adopted a principles-based approach, stricter conditions for third party models, and stronger governance, with senior management playing a more active role in oversight.

The guideline also requires institutions to distinguish between inherent and residual model risk that remains after controls. Under E-23, models should only be used when they support decision making, align with a firm’s risk appetite, and remain transparent, explainable, and appropriately applied across all model types. This updated framework will help institutions manage risks as these AI models continue to shape almost every aspect of financial decision making. 

Why E-23 Matters Today

For MRM teams, E-23 ensures that models are effective, transparent, and trustworthy, providing safeguards for financial sectors reliant on complex AI models. The 2025 update strengthens this framework by introducing a risk-tiering system to guide oversight and inventories to include third party and decommissioned models.

Governance and oversight are key aspects with this update. Boards are expected to take on an active role by questioning assumptions, allocate resources, and overseeing high impact use cases. Fairness, explainability, and accountability are also OSFI obligations. Meeting them requires minimum documentation of assumptions, data lineage, validation results, and change history. These shifts make it clear that E-23 is intended as a living framework that evolves with technology and embeds risk awareness into everyday model use.

Core Components of E-23

Model Inventory and Development

Institutions must maintain a full model inventory. This applies to all models whose inherent risk is more than negligible, allowing institutions to focus governance on models with meaningful impact. Each entry should track ownership, purpose, risk rating, version, and status to ensure transparency and support effective oversight, even if that means compensating controls.

Model Decommissioning

Outdated models must be formally retired with archived versions and training data for auditability. By keeping decommissioned models in the inventory for reference, the framework reduces the risk of hidden reliance on flawed outputs, helping organizations focus resources on models that are current, validated, and aligned with business and regulatory objectives.

Change Management and Monitoring

Structured change control is required. Firms must document retraining events, monitor for drift, and reevaluate models when material changes occur. E-23 sets a standard for revalidation and continuous monitoring to ensure models remain aligned with their intended use.

Governance and Oversight

Boards and senior management are accountable for model risk, with oversight being multidisciplinary and well resourced. Governance also extends to models or data sourced from external providers or foreign offices, which should align with third-party risk management requirements under Guideline B-10.

Read more about E-23 in our infographic: Navigating E-23: Key Trends for Canadian Banks 

Implementation Challenges and Transition

Although E-23 takes full effect in 2027, OSFI expects firms to show progress throughout the transition, starting with gap assessments, roadmaps, and prioritization of high risk models. Preparing early will ease supervisory reviews and limit last minute errors.

Implementing the guideline won’t be without obstacles. Institutions face the challenge of managing large and diverse inventories while MRM teams continue to struggle with validating vendor models and balancing innovation and explainability. Coordinating governance across technical and business lines adds another layer of complexity. The transition period should therefore be treated as an opportunity to demonstrate progress, with OSFI expecting clear evidence of this well before 2027.

The Next Steps

E-23 is a strategic foundation for responsible innovation. By clarifying lifecycle expectations, oversight, and responsibility, the guideline enables institutions to adopt advanced modeling approaches without undermining stakeholder confidence. Firms that act early will be more prepared for an era defined by AI, data-driven decision making, and stakeholder scrutiny.

If you want to learn more about how ValidMind can keep you compliant with E-23, download our technical brief now.