The AMF proposes a framework for using AI in financial services: Obligations for financial institutions

According to a joint report by the Office of the Superintendent of Financial Institutions and the Financial Consumer Agency of Canada, some 70% of federal financial institutions expect to be using AI by 2026.¹

Given the rapid rise of artificial intelligence in Canada, particularly in the emerging Insurtech and Fintech sectors, the Autorité des marchés financiers (AMF, Quebec's securities regulator) published its Guideline on the Use of Artificial Intelligence (Guideline) on July 3, 2025, to clarify its expectations regarding the measures financial institutions should implement for the responsible use of artificial intelligence systems (AIS).

While AIS offer significant competitive advantages and efficiencies, they also entail notable risks, particularly concerning compliance, privacy, and operations. The Guideline thus continues the AMF’s initiatives aimed at regulating emerging technologies, while ensuring protection of the public and the resilience of the financial sector.

This legal update summarizes the AMF’s main expectations of financial institutions, including authorized insurers, financial services cooperatives, authorized trust companies and authorized deposit institutions.

Risk classification and management

The AMF expects each financial institution to assign a risk rating to each of its AIS. This rating must be based on precise criteria, such as the system’s technical features, the quality and nature of the data used and the institution’s overall exposure. It must be reviewed periodically to reflect developments in technology and usage. 

This assessment will serve as the basis for applying policies, processes and internal controls, which must be adapted to the assigned risk rating, with reinforced requirements for high-risk AIS.

AIS life cycle

The AMF requires financial institutions to develop, document, approve and implement processes and controls covering the entire life cycle of their AIS. First, the AMF expects the use of an AIS to be justified as compared to other possible solutions. In addition, the institution must ensure the quality of the data used to train the AIS, whether it is primary, secondary, structured or unstructured data.

The AMF also expects institutions to put in place processes for the design, procurement and validation of their AIS, as well as ongoing supervision in order to quickly detect any biases, security incidents, conflicts of interest or other anomalies.

Strengthened governance

The AMF insists on the accountability of governing bodies and expects institutions to clearly define the roles and responsibilities of each player at every stage of the AIS life cycle. Each AIS must be placed under the responsibility of a designated manager, who must report to a member of senior management who is accountable for all of the institution’s AIS. 

Senior management must develop an AI risk management policy and maintain an adequate level of knowledge regarding the technology used. 

The board of directors must promote a culture of responsible AI use, be aware of the risks and limitations of AIS, and ensure board members collectively have sufficient expertise in the field.

The risk management team is responsible for establishing a validation framework and ensuring risk management, while internal audit assesses the effectiveness of governance and internal control mechanisms related to using AIS.

Centralized and transparent AIS management

The AMF requires financial institutions to maintain a centralized directory of their AIS, which must contain the necessary information for decision-making, risk assessment and supervision of these systems. In addition, institutions must produce regular reports on AI-related risks and share them with the relevant stakeholders, including senior management.

Each financial institution should assess and reassess its risk appetite and tolerance levels for key risks in light of its use of the AIS. 

Fair treatment of clients 

The AMF pays particular attention to ethical issues and protecting clients. It expects each institution to put in place a code of ethics and mechanisms to prevent and quickly rectify any form of discrimination or bias, while providing thorough documentation.

Increased vigilance is also required over the quality of the secondary data used, particularly when the results generated by an AIS could have an impact on clients. Institutions must provide clear information to their clients, obtain their informed consent, offer them the opportunity to interact with a human being when necessary, and provide them with simple, comprehensible explanations concerning decisions made or influenced by an AIS.

Conclusion

The Guideline marks a key step in providing a framework for AI in Quebec’s financial sector. Without curbing innovation, the AMF seeks to ensure it is used diligently, ethically and responsibly. With this in mind, we encourage financial institutions to consider implementing the measures proposed in this document right away, in anticipation of its possible imminent adoption.

The AMF invites interested parties to submit their feedback by November 7, 2025.

The authors would like to thank Charles-Antoine Bordeleau, articling student, for his contribution to preparing this legal update.