OSFI Guideline E-23

Office of the Superintendent of Financial Institutions (Canada) · Guideline E-23: Model Risk Management · Effective May 1, 2027 for all federally regulated financial institutions.

What it covers

OSFI Guideline E-23 expands prior model risk management expectations to cover AI and ML systems explicitly. It applies the full model risk management lifecycle to AI systems used in material decisions and integrates with Guideline B-10 for third-party model oversight. The guideline requires institutions to maintain a complete model inventory, apply risk-based classification, and govern models throughout their lifecycle.

Who it applies to

All federally regulated financial institutions in Canada: banks, trust and loan companies, insurance companies, and federally regulated pension plans. The guideline takes effect May 1, 2027. Institutions are expected to be in substantial compliance by that date, not beginning preparations.

The AI-relevant control objectives

• Enterprise model inventory, including third-party AI systems
• Risk-based classification reflecting complexity, autonomy, data sensitivity, and customer impact
• Third-party model oversight aligned to Guideline B-10
• Model documentation supporting board-level reporting and regulatory examination
• Independent validation and ongoing monitoring procedures
• Incident response and remediation procedures for model failures
• Lifecycle governance from development through retirement

How sitkastack maps to it

• Model inventory inputs → docs/phase-1/02-input-contract.md
• Risk-based classification → docs/phase-0/01-risk-classification.md
• Third-party AI risk assessment → docs/phase-0/00-problem-definition.md
• Out-of-scope and boundary documentation → docs/phase-0/02-out-of-scope.md
• Audit-defense triage record → docs/phase-1/03-output-contract.md
• Data handling for sensitive model inputs → docs/phase-1/04-privacy-and-data-handling.md

What sitkastack delivers under this framework

For E-23 readiness, sitkastack engagements produce code-first governance artifacts that integrate with your existing GRC platform (AuditBoard, ServiceNow GRC, or equivalent). Typical engagements: E-23 Readiness Sprint (readiness assessment), AI Policy & Risk Pack (control documentation package), or 90-Day AI Build (production AI workflow with E-23-aligned controls).

Honest limitations

sitkastack produces audit-defense artifacts and reference implementations. I do not certify E-23 compliance. The deploying institution remains accountable for its own model risk classification, governance, and OSFI attestations.

Talk to me

Questions about how this maps to your environment? Email me.