OSFI Guideline E-23 - Model risk management (2027)

OSFI E-23 model risk management, built for AI and ML

OSFI Guideline E-23 sets supervisory expectations for how federally regulated financial institutions manage model risk across the full lifecycle, and the 2027 version folds AI and ML models directly into scope. Effective May 1, 2027. VerifyWise gives you the tiering, validation, monitoring and inventory to meet those expectations.

A principles-based, technology-neutral supervisory guideline. No fixed fines, gaps surface through OSFI supervision.

Effective May 1, 2027, with an 18-month transition period set by OSFI.

What is OSFI Guideline E-23?

OSFI Guideline E-23 is the Office of the Superintendent of Financial Institutions' supervisory framework for model risk management (MRM). The final 2027 version, published September 11, 2025, is principles-based and technology-neutral. It sets expectations for identifying, assessing, managing and monitoring the risk that models introduce across their full lifecycle.

The guideline was broadened from earlier deposit-taking-focused guidance to cover all models used by federally regulated financial institutions, and it explicitly names artificial intelligence and machine learning models. Model risk is defined as adverse financial, operational or reputational impact arising from the design, development, deployment or use of a model.

Full lifecycle

Design, review, deployment, monitoring, decommission

Technology-neutral

Same rigor for a regression or a large AI model

Aligns with model risk principles in the EU AI Act and SR 11-7.

Who needs to comply?

  • Banks and foreign bank branches
  • Trust and loan companies
  • Life insurers and fraternal benefit societies
  • Property and casualty insurers and insurance company branches
  • Applied on a risk basis, proportional to each institution's size, strategy, risk profile and complexity

Excluded: federally regulated pension plans. Earlier E-23 drafts covered FRPPs, but the final version removed them. Plan administrators are directed to CAPSA Guideline No. 10 instead.

Scope covers all models with non-negligible risk, including those that fall outside regulatory approval.

Tier every model, then calibrate the rigor

E-23 expects every model to get a risk rating from quantitative factors (portfolio size, financial impact) and qualitative factors (complexity, data reliability, customer impact). Ratings drive how much governance each model gets and are reviewed on trigger events. AI and ML models typically warrant higher ratings and stronger controls.

Tier 1Highest materiality

Most intensive governance, most frequent monitoring, tightest revalidation triggers

Large portfolios, high financial impact, complex or AI/ML models

Tier 2Moderate materiality

Proportionate validation and scheduled monitoring

Moderate impact, moderate complexity and data reliability

Tier 3Lower materiality

Lighter-touch validation, periodic review

Small portfolios, low impact, simple and well-understood models

VerifyWise tiers each model into one of three tiers by materiality drivers, and a tier increase can automatically open a revalidation task.

What E-23 expects you to do

Eight principles-based expectations, from an enterprise-wide framework to AI and ML controls.

Framework

Enterprise-wide model risk framework

Risk-based policies to identify, assess, manage and monitor model risk, proportional to size, complexity and interconnectedness.

Scope

Broad model definition covering AI and ML

Theoretical, empirical, judgmental and statistical techniques, including AI and ML, that turn input data into results.

Lifecycle

Full model lifecycle governance

Five components across the life of a model: design, review, deployment, monitoring and decommission.

Tiering

Model risk rating and tiering

An inherent-risk rating from quantitative and qualitative factors, refreshed on trigger events.

Validation

Independent validation and review

Validation independent from development, confirming sound specification and fitness for purpose.

Governance

Defined roles and accountability

Owner, developer, independent reviewer, approver and user, with senior management holding enterprise accountability.

Inventory

Firm-wide model inventory

All non-negligible models with ID, owner, version, risk rating, data sources, dependencies, approved uses, limitations, review dates and decommission status.

Monitoring

Ongoing monitoring and AI/ML controls

Performance monitoring plus transparency and explainability, controls for black-box or autonomous models, bias, privacy and drift monitoring under multi-disciplinary governance.

The five lifecycle components

E-23 governs a model from its initial rationale through formal retirement. Controls and documentation run across every stage, and VerifyWise touches each one.

1

Design

Rationale, data and development documented.

VerifyWise: Captured in the model inventory.

2

Review

Independent validation before use.

VerifyWise: Six-section independent validation reports.

3

Deployment

Approval and roles recorded.

VerifyWise: Approval and roles recorded on the model.

4

Monitoring

Ongoing performance monitoring.

VerifyWise: Metric thresholds with breach severities.

5

Decommission

Formal retirement and last review tracked.

VerifyWise: Inventory tracks retirement and next review.

How compliance is enforced

E-23 is a principles-based supervisory guideline, not a statute, so it creates no fines or monetary penalties. Institutions are expected to meet these standards, and gaps are addressed through OSFI's normal supervisory process.

Supervisory findings

Findings and requirements to remediate raised through OSFI's supervisory process.

Heightened scrutiny

Increased reporting and closer supervisory attention where gaps persist.

Intervention / ratings action

In serious cases, OSFI intervention or ratings actions rather than a fixed fine.

The guideline does not prohibit any modeling approach. The cost of non-alignment is supervisory, reputational and remedial, not a fixed fine.

E-23 expectations, mapped to VerifyWise capabilities

Each E-23 expectation maps to a capability already built into the VerifyWise model risk management module. This helps you meet the guideline, it does not replace your own judgment.

E-23 expectationVerifyWise MRM capability
Model risk rating and tiering by inherent risk (quantitative and qualitative factors), refreshed on trigger eventsManual tiering into three tiers by materiality drivers; a tier increase automatically opens a revalidation task, keeping ratings current on change.
Independent validation and review, separate from development, confirming sound specification and fitness for purposeSix-section validation reports (purpose and scope, conceptual soundness, data review, outcomes analysis and more) with evidence links and findings logged by severity and lifecycle stage.
Ongoing monitoring of model performance, with enhanced drift monitoring for AI and MLMetric thresholds such as PSI and AUC with warn, high and critical breach severities, and breach actions to notify or notify and flag for revalidation.
Review triggered by performance breaches, data changes, material change and on a periodic basisRevalidation triggers (breach, material change, tier increase, scheduled) auto-open validation tasks, recorded in an append-only audit log.
An inventory of all models with non-negligible risk, tracking usage, review dates and decommissioningModel inventory capturing owner, version, risk rating, review status and dates, plus lifecycle state through to decommission.
Enterprise-wide accountability and oversight of the model risk framework by senior managementPer-tier attestation roll-up (blocked or ok) covering tiering current, validation coverage, monitoring active and open findings for oversight visibility.
Full-lifecycle governance across design, review, deployment, monitoring and decommissionTiering, validation, monitoring, revalidation and inventory span the lifecycle from initial rationale through formal retirement.
Continuous, current model performance data feeding monitoring without manual re-entryMachine-to-machine metric ingestion tokens push live metrics into monitoring against configured thresholds.

Where most model risk programs fall short

Many teams meet the expectations on paper but run them on spreadsheets and documents. Here is where those setups break, and what closes each gap.

The inventory lives in a spreadsheet

A shared workbook goes stale between reviews, has no owner per row and cannot show a supervisor when a model was last touched.

A single model inventory with owners and metadata per model, kept current through machine-to-machine ingestion tokens rather than manual edits.

Validation reports sit in scattered documents

Word files and email threads make it hard to prove independence, find evidence or show that every required section was covered.

Six-section validation reports with evidence links and findings logged by severity and stage, produced independently of the model's developers.

Monitoring is manual or does not happen

Drift and performance decay are caught late, if at all, and there is no record of what threshold was breached or what was done about it.

Metric thresholds such as PSI and AUC with warn, high and critical severities and defined breach actions, so decay surfaces and is actioned on a schedule.

Revalidation depends on someone remembering

A material change or a breach should reopen validation, but without a trigger it waits for the next annual cycle.

Breach, material change, tier increase and scheduled triggers open validation tasks automatically, each written to an append-only log.

Tiering is inconsistent across teams

Different groups rate the same class of model differently, so validation effort does not track real materiality.

One tiering scheme by materiality drivers that sets validation depth, monitoring cadence and attestation expectations per tier.

Program health is a manual quarterly scramble

Pulling together coverage, overdue validations and open findings for the board or a supervisor takes days of spreadsheet work.

A per-tier attestation roll-up (blocked or ok) that reads current coverage, monitoring status and open findings on demand.

How VerifyWise supports OSFI E-23

The model risk management module covers tiering, validation, monitoring, revalidation, attestation and inventory in one audit-logged workflow.

Model tiering

Manually tier every model into one of three tiers by materiality drivers, giving you the risk rating E-23 expects and driving proportional governance.

Independent validation

Six-section validation reports (purpose and scope, conceptual soundness, data review, outcomes analysis and more) with evidence links and findings tracked by severity and lifecycle stage.

Ongoing monitoring

Metric thresholds such as PSI and AUC with warn, high and critical breach severities, and configurable breach actions (notify, or notify and flag for revalidation).

Revalidation triggers

Breach, material change, tier increase or scheduled triggers automatically open a validation task, with an append-only audit log.

Attestation roll-up

Per-tier attestation (blocked or ok) covering tiering current, validation coverage, monitoring active and open findings, so oversight can see readiness at a glance.

Inventory and metric ingestion

A model inventory plus machine-to-machine metric ingestion tokens so monitoring stays current without manual entry.

Every tiering decision, validation, breach and revalidation is timestamped in an append-only log, the reproducible trail E-23 documentation expectations call for.

E-23 puts AI and ML models directly in scope

The 2027 model definition explicitly names AI and ML methods, so machine learning, deep learning and generative models sit inside the lifecycle, tiering, validation, inventory and governance expectations.

Transparency and explainability

Black-box and autonomous models need controls for explainability and feature governance, which E-23 folds into validation.

Drift, bias and privacy monitoring

AI and ML models typically warrant higher ratings, with enhanced monitoring for drift, bias and privacy risks after deployment.

Multi-disciplinary governance

Reviewers must be fluent in ML failure modes, and vendor or foundation models stay the institution's responsibility to validate and control.

What E-23 ready looks like

Per-tier attestation rolls four checks into a single status you can show leadership and supervisors before a gap is found for you.

OK

Tiering current

Every model tiered and dates fresh

OK

Validation coverage

Required validations complete per tier

OK

Monitoring active

Thresholds live and breaches actioned

Blocked

Open findings tracked

Findings logged by severity and stage

When all four are green per tier, attestation rolls up to OK. Any gap shows as blocked before a supervisor finds it.

Frequently asked questions

Common questions about OSFI Guideline E-23 and model risk management.

E-23 applies to all federally regulated financial institutions (FRFIs) in Canada, including banks, foreign bank branches, trust and loan companies, life insurers and fraternal benefit societies, property and casualty insurers, and insurance company branches. It is applied on a risk basis, proportional to each institution's size, strategy, risk profile and complexity. Notably, the final version excludes federally regulated pension plans, which are directed to CAPSA Guideline No. 10 instead.
The final Guideline E-23 (2027) was published on September 11, 2025 and becomes effective on May 1, 2027. OSFI has set an 18-month transition period for institutions to align their model risk management practices.
Yes. The 2027 version was significantly broadened and its model definition explicitly names AI and ML methods. Machine learning, deep learning and generative models fall squarely within the lifecycle, risk-rating, validation, inventory and governance expectations. E-23 also adds AI/ML-specific considerations such as transparency and explainability, controls for black-box or autonomous models, bias and ethical implications, privacy risks, and enhanced monitoring for model drift.
E-23 is a principles-based supervisory guideline, not a statute, so it does not create fines or monetary penalties. Compliance is enforced through OSFI's normal supervisory process. Gaps can lead to supervisory findings, requirements to remediate, heightened scrutiny, and in serious cases OSFI intervention or ratings actions. The consequences are supervisory, reputational and remedial rather than a fixed fine.
VerifyWise's model risk management module maps directly onto E-23's expectations. It tiers each model by materiality, runs independent six-section validation reports with evidence and findings, monitors performance against metric thresholds like PSI and AUC, auto-opens revalidation tasks on breach or material change with an append-only audit log, rolls up attestation per tier for oversight, and maintains a model inventory fed by machine-to-machine metric ingestion. Together these cover the tiering, validation, monitoring, inventory and lifecycle governance that E-23 expects.

Get E-23 ready before May 2027

Walk through your model inventory, tiering and validation gaps with the VerifyWise team.

OSFI E-23 model risk management compliance | VerifyWise