The Clock is Ticking: Are You Ready for OSFI’s E-23? A Guide for Canada’s Financial Leaders

A major regulatory shift is on the horizon for Canada's financial sector, and if you're not already preparing, you're behind. The Office of the Superintendent of Financial Institutions (OSFI) has completely overhauled its Guideline E-23 on Model Risk Management. With a final deadline of July 1, 2025, this isn't just another update—it's a new paradigm that moves model risk from a technical back-office issue to a C-suite strategic priority.

This change is driven by the explosion of complex models and, most importantly, the rise of Artificial Intelligence (AI) and Machine Learning (ML) in finance. Models now drive everything from pricing and risk management to customer interactions and strategic planning. OSFI's new guideline is a direct response to this new reality, demanding a more robust and comprehensive approach to governance.

What’s Changed? The New E-23 at a Glance

The 2025 version of Guideline E-23 is a significant expansion of the original 2017 rules. Here are the most critical changes you need to understand:

• Expanded Scope: The guideline no longer applies just to banks. It now covers all Federally Regulated Financial Institutions (FRFIs)—including insurers—and all Federally Regulated Private Pension Plans (FRPPs).

• Broader Definition of "Model": The definition of a model is now intentionally broad, explicitly including AI/ML methods. This has led to industry concerns that even simple spreadsheet tools could fall under its purview.

• Expanded Definition of "Model Risk": The risk definition now includes adverse operational consequences, in addition to financial and reputational ones. This aligns E-23 with OSFI's wider focus on operational resilience.

• All Models Are In-Scope: The new framework must cover all models, regardless of their individual materiality. Proportionality applies to the intensity of the controls, not whether a model is included in the governance framework.

The Seven Pillars of E-23 Governance

At its core, the new guideline is built on seven principles that every institution must adopt:

1. Integration: Build controls into every stage of the model lifecycle, from development to decommissioning.

2. Proportionality: Scale the intensity of your risk management activities based on the model's risk and complexity.

3. MRM Framework: Establish a formal, enterprise-wide framework for managing model risk.

4. Model Inventory: Maintain a centralized, "evergreen" inventory of every model in use or recently retired. This is your single source of truth.

5. Lifecycle Governance: Create formal policies and procedures for every phase of a model's life.

6. Data Governance: Recognize that a model is only as good as its data. Implement strong policies for data quality, lineage, and fitness for purpose.

7. Risk Rating: Develop a system to classify the risk of each model, which will determine the level of scrutiny it receives.

The AI Challenge: Taming Complexity

The explicit inclusion of AI and machine learning is perhaps the most significant part of the new guideline. AI models introduce unique and amplified risks that demand a more sophisticated approach to governance:

• Bias and Fairness: AI can perpetuate and amplify biases found in training data, leading to discriminatory outcomes and significant reputational damage.

• Explainability: Many AI models are "black boxes," making it difficult to understand how they reach their conclusions. This directly challenges the E-23 requirement for models to be "conceptually sound".

• Stability: AI models can "drift" and their performance can degrade quickly, requiring a shift from periodic validation to more frequent, near real-time monitoring.

• Third-Party Risk: Institutions remain fully accountable for vendor-supplied AI models, requiring rigorous due diligence and validation even when the underlying mechanics are proprietary.

Successfully navigating these challenges requires new skills. Validation can no longer be handled by quantitative analysts alone; it requires a multidisciplinary team of data scientists, ethicists, and legal experts.

Your Blueprint for Compliance: Key Actions to Take Now

The July 2025 deadline is approaching fast. Here are the essential steps every organization should be taking:

1. Centralize and Standardize: Break down silos and create a single, unified Model Risk Management (MRM) function with consistent policies and methodologies across the entire enterprise.

2. Inventory Everything: The first and most critical task is to identify and catalogue every single model that falls under the new, broad definition. This inventory is the foundation of your entire framework.

3. Adopt a Risk-Based Approach: While all models must be inventoried, they don't all need the same level of scrutiny. Develop a robust tiering system to classify models by risk level. This allows you to focus your most intensive validation resources on the highest-risk models.

4. Automate Your Processes: For most institutions, manual tracking with spreadsheets is no longer viable. Invest in technology to automate inventory management, validation testing, and performance monitoring to handle the scale and complexity required.

5. Hold Vendors Accountable: Strengthen your third-party risk management. Embed strict requirements for documentation, validation support, and data access into all new vendor contracts.

Beyond Compliance: A Strategic Opportunity

While the road to E-23 compliance is challenging, it's a mistake to view it as just another regulatory burden. Embracing the principles of E-23 is a strategic opportunity to build a more resilient, innovative, and trustworthy organization.

A strong MRM framework leads to better, more reliable models, which in turn drives smarter business decisions. It provides the necessary guardrails to innovate safely with powerful technologies like AI, accelerating rather than stifling progress. Ultimately, in an age of growing public skepticism, demonstrating that your models are fair, robust, and well-governed is a powerful way to build trust with customers, investors, and regulators alike.

The message from OSFI is clear: the era of informal model governance is over. The time to act is now.